Password Knee-Jerk Reactions

Discussion in 'NZ Computing' started by Lawrence D'Oliveiro, Sep 3, 2009.

  1. Some people are criticizing Microsoft for refusing to fix this
    <http://www.theregister.co.uk/2009/09/02/sql_server_password_exposure/>. The
    “problem†is that someone with admin access can obtain people’s unencrypted
    passwords.

    Something people don’t understand about passwords is that there are two
    different ways to check them, and they are fundamentally incompatible.

    For local access: in this situation, you can get away with storing only one-
    way-hashed passwords. As the user types in the password, you put it through
    the same hash. If it matches the stored hash, then you conclude that they've
    typed the right password, and let them in.

    The above doesn't work for remote access, because it requires the user to
    trust that the system asking them for the password is really the one they’re
    trying to access, not an impostor trying to steal their password. A physical
    box, probably located in a secure location, is easier to trust when you’re
    directly in front of it, as opposed to some server on the Internet that you
    can’t see, perhaps located in a completely different part of the world.

    For remote access, you need some kind of shared-secret authentication, where
    the two ends each convince the other they know what the secret is, without
    ever passing the secret itself in unencrypted form over the communication
    channel. But this requires that each end have access to the actual secret,
    not some one-way hash derived from it. Thus, this precludes storing one-way-
    hashed passwords at the server end.

    Kerberos applies a one-way hash to the user-entered password before doing
    the authentication handshake. But that just means that the hashed password
    becomes the real secret, and anybody with access to that can impersonate the
    client. (The normal client hashes what the user types; but it’s easy enough
    to create a patched client that lets a user enter a hash directly.)

    Moral: know what passwords are going to be used for, before jumping to
    conclusions about how they must be stored.
     
    Lawrence D'Oliveiro, Sep 3, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Doug MacLean
    Replies:
    0
    Views:
    495
    Doug MacLean
    May 3, 2005
  2. DVD Verdict
    Replies:
    0
    Views:
    415
    DVD Verdict
    Aug 23, 2005
  3. Funseeker

    NT-reactions on an XP system?(annoying online-problem...)

    Funseeker, Feb 11, 2004, in forum: Computer Information
    Replies:
    9
    Views:
    401
    Elfseeker
    Feb 14, 2004
  4. A Mate

    New Camera - Compact! Need reactions!

    A Mate, Nov 20, 2005, in forum: Digital Photography
    Replies:
    2
    Views:
    241
    A Mate
    Nov 21, 2005
  5. Jamie Kahn Genet

    A TradeMe jerk.

    Jamie Kahn Genet, Dec 9, 2006, in forum: NZ Computing
    Replies:
    6
    Views:
    311
    Jamie Kahn Genet
    Dec 10, 2006
Loading...

Share This Page