Saving passwords on disk
in [Cryptography]
|
From: Datesfat Chicks on 19 May 2010 20:10 "Mok-Kong Shen" <mok-kong.shen(a)t-online.de> wrote in message news:hss7mq$qg2$02$1(a)news.t-online.com... > Jonathan Lee wrote: > >> I'm sure any number of examples of equally bad security can be >> made. For example, suppose you had a key logger installed on >> your USB port, etc. > [snip] > > The internet security of one's computer is indeed very hard to > be ensured for most people, excepting experts, I believe. I like > to tell the following personal story: Longtime ago I bought > a computer with a pre-installed antivirus program. On starting > up, I was asked to register. I didn't register. A few months > later I got an email from the producer. I couldn't explain how > that happened. That is a great story. Perhaps when you registered the computer (rather than the anti-virus program)? Datesfat
From: Datesfat Chicks on 19 May 2010 20:17
"Jonathan Lee" <chorus(a)shaw.ca> wrote in message news:f2d4b5e3-3b3b-4fb7-9764-45d3679486a3(a)n15g2000yqf.googlegroups.com... > Can anyone tell me if there are "reasonably" safe ways of storing > passwords on disk? For example, my e-mail client clearly saves my > passwords somewhere. If it doesn't store them as plain text, it > probably encrypts them. But then the key must be stored somewhere... > etc. I can't see how this can be done safely. > > Or is printing a disclaimer about remembering passwords considered > "good enough"? > > Thanks for any information > --Jonathan > > PS I want to know so that I can look into implementing something > similar myself. If you're only interested in authenticating passwords (for your own application), then you can store the hashes of the user passwords rather than the passwords. With a little cryptographic salt thrown in (this is a real term), you can make a dictionary attack not viable, leaving only brute-force password-guessing. I think if you hash the item enough times (maybe a million), you can then make brute-force password trials computationally expensive (you only need to do it once--but an attacker has to do it a large number of times as he iterates through guesses). I think there is a word for this technique ... not sure what. But, if you need to store passwords that will be used to authenticate into another system ... it becomes more complex. You have to still have something from the user on every session: something like a master password. Datesfat |