[WEB SECURITY] FW: Password Manager with Fingerprint Verification

James Manico jim at manico.net
Thu Jun 9 14:39:58 EDT 2011


Using bcrypt in a static way is a poor idea. You must also increase the work
factor over time. The article below fails to recommend a specific work
factor nor does it suggest that the work factor needs to increase over time.

Bcrypt is a good solution for password storage, don't get me wrong, but it's
not the only solution.

Salting can also lower dictionary attack risks in some situations if you
isolate the salt from the hash.

Respectfully,
Jim Manico

On Jun 9, 2011, at 19:31, Thomas Ptacek <thomas at matasano.com> wrote:

You're right; they can only use bcrypt if they're on Rails, Python, PHP,
Perl, .NET, Java, C/C++, or Erlang.

Iterating SHA256 correctly is a little trickier than just repeatedly
rehashing (see: RFC2898 for PBKDF2), but does work.

In working with and talking to over a hundred startup web developers, I've
learned that when you leave password hashing open to implementation (for
instance, by rolling your own "stretched" SHA256), you end up with people
who use secret salts. It's better --- it's just better --- to use bcrypt.

On Jun 9, 2011, at 1:27 PM, James Manico wrote:

Not everyone had access to bcrypt. Iterating the hash thousands of times
mitigates the concern in the paper below. This hash iteration count is
basically the same thing as bcrypts work factor and just like using bcrypt
this work factor will need to be increased over time.

Hash iteration count was recommended to be 1000 in the year 2000 and should
be doubled every three years to be in line with bcrypts work factor
recommendations.

Cheers from AppSecEU in Dublin.

Jim Manico

On Jun 9, 2011, at 17:12, Thomas Ptacek <thomas at matasano.com> wrote:

<http://codahale.com/how-to-safely-store-a-password/>
http://codahale.com/how-to-safely-store-a-password/

Just read this article and do exactly what it says.

On Jun 8, 2011, at 6:34 PM, Vikneswaran Kunasegaran wrote:

Hi Gautham..

So in your email below are you stating that without encryption, salting and
hashing alone would be secured and difficult to crack by unauthorised
people? I was just thinking too much on how to make my databse secure maybe
thats why I got into this. Sorry though hehe. So, in your opinion, what
would be your advise if I wanted to salt this password for a 1000 times and
then hash it as this was a comment from another person who replied my email.
Is it okay or the suggestion you made is secured enough. Kindly awaiting
your reply on this. And thank you very much for replying me Mr Gautham.
Really appreciate it.

Have a nice day.

------------------------------
Date: Tue, 7 Jun 2011 16:15:30 -0700
Subject: Re: Password Manager with Fingerprint Verification
From:  <itsecanalyst at gmail.com>itsecanalyst at gmail.com
To:  <rmc_0306 at hotmail.com>rmc_0306 at hotmail.com
CC:  <security-basics at securityfocus.com>security-basics at securityfocus.com;
<websecurity at webappsec.org>
websecurity at webappsec.org

I am still trying to get my understanding clear here. why would you want to
(salted+hash) and then encrypt it. Is just getting a hash not enough, you
can do salted+sha256 and you should be good.

if you want a clear text password, then you might want to encrypt it,
however it all depends what is the final use of these credentials. There are
more controls that you would need to get in place if you want to
encrypt-decrypt and then key management is a big issue that you need to
think.

G

On Tue, May 31, 2011 at 6:01 PM, <rmc_0306 at hotmail.com> wrote:

Hello Friends.

Im a final year student for COmputer Security / Forensic. Im planning to do
a project which requires me to do encryption and decryption. My possible
choice of language would be  <http://VB.Net/>VB.Net. I was wondering if wad
is running in my mind can be executed. Well, I would make a application
where a part of it wil be promting the guest to register and I wanted to
store the password in the database. I did some research and came across
Salting and Hashing. I was wondering if is it possible to get the password
which the user enters, salt it, hash it and encrypt it before I store in the
database. If so, what is the best secured strong encryption can I use
in <http://VB.net/>
VB.net. Because through out the research I have done, i have sen RInjdael as
the most fav encryption algo which alot of programmers using. JUst a though
on this. Kindly advise me. Thank you for your generous help and for reading
query.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
<http://www.webappsec.org/rss/websecurity.rss>
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn  <http://www.linkedin.com/e/gis/83336/4B20E4374DBA>
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
<http://twitter.com/wascupdates>http://twitter.com/wascupdates

<websecurity at lists.webappsec.org>websecurity at lists.webappsec.org
<http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org>
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



---
Thomas Ptacek // matasano security // founder, product manager
reach me direct: 888-677-0666 x7805

"The truth will set you free. But not until it is finished with you."




_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn <http://www.linkedin.com/e/gis/83336/4B20E4374DBA>
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



---
Thomas Ptacek // matasano security // founder, product manager
reach me direct: 888-677-0666 x7805

"The truth will set you free. But not until it is finished with you."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110609/ef567582/attachment-0003.html>


More information about the websecurity mailing list