[cryptography] Hi all, would like your feedback on something

Jeffrey Walton noloader at gmail.com
Fri Dec 18 14:43:45 EST 2015


> The question we are trying to answer here is how could we all have ultra
> strong passwords i.e. “!3AbDEE9eE45DCea” that are you unique for each and
> every website, email, social media, etc. service that we use but without
> having to trust any third parties to store them for us protected by single
> password (perhaps with 2 factor authentication, hardware key, etc.,
> admittedly), or to use some kind of local password manager that needs to be
> installed on every device you want to use it on with a local encrypted
> password file.  Lastly, it should be extremely resistant to rainbow tables
> if and when one of your passwords is leaked.

Peter Gutmann's Security Engineering
(https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) has a good
treatment of Passwords in general. See Chapter 7 on page 563.

John Stevens of OWASP performed threat modelling of passwords in
storage on the server. See Secure Password Storage
(https://docs.google.com/document/d/1R6c9NW6wtoEoT3CS4UVmthw1a6Ex6TGSBaEqDay5U7g).


More information about the cryptography mailing list