[lug] Application Password Security

George Sexton georges at mhsoftware.com
Mon Jun 20 15:06:26 MDT 2016

On 6/20/2016 2:55 PM, Zan Lynx wrote:
> On 06/20/2016 02:44 PM, George Sexton wrote:
>> The question I'm struggling with is what's the bigger security risk?
>> Users re-using passwords, or my app keeping historical passwords.
>> Although I'm making it pretty expensive to generate a dictionary, it
>> still won't be impossible. I guess where I'm ending up is that the
>> chance of BCrypt password being compromised is lower than the risk of a
>> user cycling through the same (or small set) of passwords.
>> I would be interested in hearing what others think...
> I have to say that I dislike it when services think they know better
> than I do and force password rotations and such. But if you have to ...

Actually, I let the user configure their system in the manner they 
desire. For some people, it's a checklist thing. They have a checklist 
(or they're subject to a checklist).

> One annoying thing you could do (annoying for attackers that is) is
> every time you record a historical password hash, record the real one
> and two or three random ones. Sort it in order by hash so it isn't easy
> to figure out which password was last week's or which ones are real or fake.
> Yes during the check for password reuse this will be slower, but not by
> a whole lot.
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20160620/51a4e6c4/attachment.html>

More information about the LUG mailing list