[lug] Application Password Security
zlynx at acm.org
Mon Jun 20 14:55:38 MDT 2016
On 06/20/2016 02:44 PM, George Sexton wrote:
> The question I'm struggling with is what's the bigger security risk?
> Users re-using passwords, or my app keeping historical passwords.
> Although I'm making it pretty expensive to generate a dictionary, it
> still won't be impossible. I guess where I'm ending up is that the
> chance of BCrypt password being compromised is lower than the risk of a
> user cycling through the same (or small set) of passwords.
> I would be interested in hearing what others think...
I have to say that I dislike it when services think they know better
than I do and force password rotations and such. But if you have to ...
One annoying thing you could do (annoying for attackers that is) is
every time you record a historical password hash, record the real one
and two or three random ones. Sort it in order by hash so it isn't easy
to figure out which password was last week's or which ones are real or fake.
Yes during the check for password reuse this will be slower, but not by
a whole lot.
More information about the LUG