Proper Password Hashing & Security

Protecting your Linux box
Post Reply
mahin_pk
Site Admin
Posts: 204
Joined: Sat Oct 25, 2003 10:43 am

Proper Password Hashing & Security

Post by mahin_pk »

Some of you may have missed this while others may find it beneficial. This is from Alexander the developer of secure Distro OpenWall and password strength testing tools / resources.

- - - - - - -


Hi,

After the security compromise that affected several gnu.org services and
websites, GNU Savannah (free software development hosting) introduced
proper password hashing and password/passphrase strength checking using
Openwall's passwdqc (invoking the pwqcheck and pwqgen programs):

http://savannah.gnu.org
http://savannah.gnu.org/maintenance/Compromise2010
http://git.savannah.gnu.org/cgit/savane-cleanup.git/

http://www.openwall.com/passwdqc/
http://www.openwall.com/articles/PHP-Us ... ord-policy
http://www.openwall.com/articles/PHP-Us ... -passwords

If you maintain an online service with user accounts, you should
probably do the same - preferably before your security compromise occurs.
Here's how to do it:

http://www.openwall.com/articles/PHP-Users-Passwords

and you may refer to the savane-cleanup git repository above for an
example of how they did it. You may also see this in action on their
new user registration page:

https://savannah.gnu.org/account/register.php

(Note: they use a http://www.cacert.org issued SSL certificate, which
will likely be unrecognized by your web browser by default. CAcert is
about making verifiable SSL certs freely available, and so is in line
with GNU. This has nothing to do with password strength checking; it's
just a side note I had to include.)

For proper password hashing, the Savannah Hackers chose to use the
SHA-512-based crypt(3) flavor that is currently included in the official
glibc (with this being the very reason for their choice), accessing it
from PHP scripts. Thus, they used only some pieces of code from our
phpass password hashing framework, whereas our recommendation for other
projects/websites/services is to use the entire thing:

http://www.openwall.com/phpass/

(It is risky to try to implement things like this entirely on your own.
Most people get it wrong.)

Indeed, lots of other security improvements have been made by the FSF
sysadmins and Savannah Hackers - many of these are described on the
Compromise2010 web page referenced above. However, this message is
about password security.

Alexander
Post Reply