Re: sefety of passwords for web-service applications

On Sat, 24 Nov 2012 11:05:38 +0100 "Vlad K." <vlad@haronmedia.com> wrote:
>
> On 11/24/2012 10:15 AM, Rafal Pietrak wrote:
> > Some improvement in passwords safety could be gained, if the database
> > table access methods (e.g. SELECT...) provided means to limit that
> > access to just one entry at a time, and return results only when
> > (password) column hash was equal for a single entry. e.g. information is
> > not leaking when password dont' match.
>
> But what about situations where the attackers gained access to the
> database itself or faulty discs that got replaced? Isn't just having a
> strong hash a better solution? And by strong I mean a bcrypt based or
> similar approach that requires significant time to calculate a single hash.

The best defense from this kind of attack is PKI.  The client generates a
key pair and installs the public key in the application database, keeping
the private key to use for auth.

Of course, this requires a level of technical knowledge beyond what most
users posses, which is a damn shame.

--
Bill Moran <wmoran@potentialtech.com>