Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Reaped: Re^2: Replacing crypt() for password login via a digest - looking for stronger alternative

by NodeReaper (Curate)
on Jun 15, 2021 at 18:28 UTC ( #11133898=note: print w/replies, xml ) Need Help??


in reply to Re: Replacing crypt() for password login via a digest - looking for stronger alternative
in thread Replacing crypt() for password login via a digest - looking for stronger alternative

This node falls below the community's threshold of quality. You may see it by logging in.
  • Comment on Reaped: Re^2: Replacing crypt() for password login via a digest - looking for stronger alternative

Replies are listed 'Best First'.
Re^3: Replacing crypt() for password login via a digest - looking for stronger alternative
by marto (Cardinal) on Jun 15, 2021 at 19:04 UTC

    "Passwords are usually harvested by keystroke scrapers."

    my sources say no. Care to back up this claim?

      From personal experience, passwords are mostly harvested in 3 ways: Data breaches, emails that redirect to fake "password change" forms and from just plainly asking people for their passwords.

      perl -e 'use Crypt::Digest::SHA256 qw[sha256_hex]; print substr(sha256_hex("the Answer To Life, The Universe And Everything"), 6, 2), "\n";'
        passwords are mostly harvested in 3 ways: [...] and from just plainly asking people for their passwords.

        Simply asking for credentials works shockingly well. You need one bar of chocolade per password: https://orbilu.uni.lu/handle/10993/26214 (via https://www.heise.de/hintergrund/Passwort-gegen-Schokolade-3245447.html).

        And it becomes much worse in an environment were people trust each other. Just today, a co-worker showed me a really old piece of paper with his/her current (Samba) Active Directory password, which would give me access to Windows, mails, calendar, vacation planner, and other systems. The account name is trivially firstname.lastname, so just handing out the password is sufficient to gain access. The password is really bad, it can be found in every dictionary, and just adds one non-alphanumeric character. To make things worse, we have just finished migrating our legacy Samba NT4 domain to Active Directory, including a mandatory password reset for all users. And people simply reuse their old, insecure passwords hidden under keyboards, desk pads, or in the top drawer. And the really, really worst part of that password: It was the default passwort for new accounts used for at least a decade.

        I'm a developer, but one day every two weeks is reserved for admin work. I can get root/Administrator access on all machines, and so I could bypass all ACLs and Unix permissions. I would not need anyone's password to get access to all data. So handing out a personal password to me technically does not make things worse. But just the fact that co-workers hand out their password at all is wrong. I don't want to know their passwords, I don't want access to their data.

        I would really like to hire a trustworthy friend to repeat the chocolade-for-password experiment at work. Followed by a mandatory password security training, after asking who has got a sweet present.

        Alexander

        --
        Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
      When has he ever?

        It's the kind of BS snake oil salespeople have been selling for literally decades. Some of them end up brainwashing convincing themselves that they know what they're talking about. You and I both understand why he's doing this, so for the sake of OP and future readers, challenging someone to back up such claims, while it takes a little time to do, isn't a complete waste of time.

        Update: As usual, interesting to see someone upvoting such shenanigans.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11133898]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (4)
As of 2021-07-26 15:47 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?