Don’t Hash Secrets — I had this article on my to-read list for quite a long time and finally managed to read it. It's an article about the pitfalls behind the idea of hashing everything. It explains why salting hashes is a good thing -- especially if a user uses a quite strong password -- since it adds a difficulty-vector for attackers (the dictionary for the attack has to be rebuilt for every user because of the individual salt). It also states that salting won't prevent successful dictionary-based attacks on weak passwords (I'm looking at you guys, with a 8-char password consisting only of letters), so that nobody strikes on the idea that salting is the Holy Grail of secure hashing. The article also uses various examples to describe the problems that arise with each insecure procedure (from hashing to signing). it's a well written article, and I can recommend it to everyone. It's always surprising to read about hacked sites nowadays that still store MD5 hashes of passwords in the database.
|
|
|
