Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

If they're using dedicated hardware, why not use smartcards to salt the hash.

From the article, even 74kh/s is going to tear through a lot of passwords, but with a secure element in the mix, offline attacks go nowhere.



The purpose of a password hash is to protect the password authenticators in the event the database is compromised. If you define away the possibility of a database compromise, just store them in plaintext.


I'm not trying to define away the possibility of a database compromise, I'm integrating a secure element into the hashing scheme that can compute an HMAC without exposing its key.


Wherever you're storing the key, where it's inaccessible to attackers, just store the password.

I'm not even saying that keyed hashes are a bad idea. I'm saying they're orthogonal to the question being discussed on the thread.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: