[180215] in North American Network Operators' Group
Re: Password storage (was Re: gmail security is a joke)
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Thu May 28 10:08:49 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <5566DFFB.9050109@ripe.net>
Date: Thu, 28 May 2015 10:08:44 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Robert Kisteleki <robert@ripe.net>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Thu, May 28, 2015 at 5:29 AM, Robert Kisteleki <robert@ripe.net> wrote:
>
>> Bcrypt or PBKDF2 with random salts per password is really what anyone
>> storing passwords should be using today.
>
> Indeed. A while ago I had a brainfart and presented it in a draft:
> https://tools.ietf.org/html/draft-kistel-encrypted-password-storage-00
>
> It seemed like a good idea at the time :-) It didn't gain much traction though.
I get the feeling that, along with things like 'email address
verification' in javascript form things, passwd storage and management
is something done via a few (or a bunch of crappy home-grown) code
bases.
Seems like 'find the common/most-used' ones and fix them would get
some mileage? I don't imagine that 'dlink' (for example) is big on
following rfc stuff for their web-interface programming? (well, at
least for things like 'how should we store passwds?')
