Password hashing etc

Please try to keep all the discussions in the main H&M forums on topic! If you have anything else you want to share, on any subject whatsoever, please post it here!

Moderator: Tim Green

Simon Dismore
Posts: 454
Joined: Thu Nov 16, 2006 1:29 pm
Location: London, UK

Password hashing etc

Unread post by Simon Dismore »

In [url=https://helpman.it-authoring.com/viewtopic.php?f=14&t=13988]Using HTTPS instead of HTTP for forums[/url] Tim Green wrote:...phpBB definitely isn't perfect. As far as I can see the password hashing is performed on the server side with a PHP function, when it should ideally be hashed at the user end with a JS function instead, so that only the hash is ever sent across the net. That would be the main reason for activating https -- I'm currently waiting for a Let's Encrypt certificate for just that purpose. In the long term, I'm hoping that phpBB gets a SQRL interface, although I'm not holding my breath.

There's not a lot you can do about users using bad passwords and the same bad password for every site, apart from encouraging them to get LastPass or something like it. :roll:
Nice work setting up TLS so quickly!

I was interested in your comments about hashing. AFAICS the idea of re-using the same password but hashing in the browser relies on you salting it per domain. Otherwise when one server's password table is compromised every use of that password on other domains is compromised too. And there's the perennial question of how to "code sign" javascript etc. It might be OK as a component of a defense in depth (salted hash in the browser, sent via TLS, then encrypted at the server).

I could find only two papers discussing SQRL on google Scholar (http://link.springer.com/chapter/10.100 ... 12400-1_19 and https://www.os3.nl/_media/2013-2014/cou ... report.pdf) so at the moment it is just an interesting idea. There seems to be a general issue with all visual code authentication schemes that because a QR-code is opaque, the user has to be vigilant to detect phishing or relay attacks. If that can be solved it's a promising approach ...though Steve Gibson's expertise is apparently not respected in all quarters (e.g. http://www.theregister.co.uk/2006/01/21 ... rc/?page=2).

Enterprise LastPass is good value IMO even if you only have a handful of users. In addition to the usual password manager features it can check users' vaults and reports on password strength and re-use. It also supports shared records which can be useful sometimes.
Locked