Re: A stab at implementing better password hashing, with mixed results

On Thu, Dec 27, 2012 at 12:31:08PM -0300, Claudio Freire wrote:
> On Thu, Dec 27, 2012 at 11:46 AM, Peter Bex <Peter.Bex@xs4all.nl> wrote:
> >
> > Implementing a more secure challenge-response based algorithm means
> > a change in the client-server protocol.  Perhaps something like SCRAM
> > (maybe through SASL) really is the way forward for this, but that
> > seems like quite a project and it seems to dictate how the passwords are
> > stored; it requires a hash of the PBKDF2 algorithm to be stored.
> 
> It would be nonsense to do it in any other way... protecting the
> password store and not the exchange would just shift the weak spot.

Yeah, that's why I was being rather pessimistic about the patch I posted.
However, SCRAM will only protect the password; SSL is still required
to protect against connection hijacking.

Cheers,
Peter
-- 
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital computeris especially attractive, not only because it can be
economicallyandscientifically rewarding, but also because it can be an aestheticexperience much like composing poetry
ormusic."                        -- Donald Knuth