Products > Security
One simple trick for passwords the big companies don't want you to know about!
apis:
Password hashing isn't really encryption no, which is why I put the word encryption in quotation marks (and wrote hashing in parentheses for those who did know what it was). Most people have an understanding of what encryption is but not necessarily hashing. I hope people still got the basic idea, the password gets scrambled so it's hard to figure out what it is. The better password you choose and the better the hashing algoritm the harder it is to figure out.
Key derivation functions like PBKDF2 (although not what it was intended for) is sometimes used for password hashing, but it not ideal either. And while commonly recommended bcrypt might turn out to be too vulnerable as well. There was an attempt to come up with a better algorithm a few years ago through an open competition, similar to how NIST have come up with their recommendations in the past, called the Password Hashing Competition: https://password-hashing.net.
But I wouldn't recommend any particular function here. As I said, this gets complicated quickly and there are lots of pitfalls, don't take advice from an anonymous internet forum if you need to protect something that is valuable.
golden_labels:
People considering switching to a password manager may wish to read the “Before you use a password manager” article lately mentioned by Schneier. It discusses risks involved in using a password manager, as well as approaches that are providing no gain.
orion242:
Seems like fairly weak reasons to avoid PW managers.
If you reuse the same PW everywhere...you must have the capacity to remember one...
If you do reuse that one PW everywhere, well its all eggs in one basket isn't it. Any single breach on multiple sites could be a complete day wrecker.
If you have malware on your machine....your 100% pwned already.
Good PW managers fix any flaws in near real time and only store encrypted blobs. Minor risk compared to the PW reuse IMO.
To each his own.
orion242:
Something to think about with PW reuse.
https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
And with SIM swapping seemingly trivial and prevalent these days, 2FA over SMS is pretty crap as well.
golden_labels:
--- Quote from: orion242 on June 21, 2019, 01:02:51 am ---Seems like fairly weak reasons to avoid PW managers.
--- End quote ---
Uhh… in the initial version of my post I’ve urged people to read beyond the first paragraph. It seems I shouldn’t have removed that request. :|
The article is not suggesting avoiding password managers. It discusses common pitfalls and mistakes, which average person may encounter when first facing that technology. People are only people and human factor must be taken into account. I am and — until the solution is widely considered wrong — I will promote the use of password managers, criticize using bad passwords or ridicule security theater. But I will not tell my mother to jump into the topic headlong. Password managers are undoubtfully the best available solution, but you still need to learn how to use them properly. And the article shows the potential problems and provides a quite safe path to including password manager in your security policies.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version