[Owasp-leaders] Stepping through password hashing options

William Stranathan will at thestranathans.com
Tue Jun 12 01:37:54 UTC 2012


Rogan:

Agreed. I meant personally as a consumer, not a producer. If a site allows
me to have a passphrase, I use it crossing my fingers they salt it
(hopefully twice). The other option is don't use the service (which I also
do from time to time.)


> Date: Mon, 11 Jun 2012 16:19:29 +0200
> From: Rogan Dawes <rogan at dawes.za.net>
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Stepping through password hashing options
> Message-ID: <4FD5FE71.6050301 at dawes.za.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 11/06/2012 16:01, William Stranathan wrote:
> > Jim:
>
> > But again - you're spot-on in the summary - passwords are dead (at
> > least I hope). As much as possible, I personally use passphrases and
> > MFA.
>
> Unfortunately, a passphrase is simply a password where the allowed
> character set includes [:space:].
>
> Reference the linked in password cracking, which has unearthed a 29
> character password, comprising a verse from the bible:
>
>
> https://newsessentials.wordpress.com/2012/06/09/linkedin-millions-of-passwords-stolen-and-posted-on-the-internet-by-russian-hackers/
>
> So, even a long passphrase devolves into something crackable, so long as
> you restrict yourself to actual words, with minor punctuation.
>
> Rogan
>
>
>
>

-- 
-- coleslaw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120611/79e00cdb/attachment.html>


More information about the OWASP-Leaders mailing list