Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Storing Passwords
Top Forums Web Development Storing Passwords Post 302928982 by jim mcnamara on Tuesday 16th of December 2014 04:44:55 PM
Old 12-16-2014
My only comment is:

Key management is an absolute pain in the butt.

Regarding keys -- When not in use (ie standing somewhere) the half-keys should be encrypted - both on the user side and the system side. Otherwise they are sitting ducks. Largely for internal attacks. Because internal people are less likely to set off security alarms or be seen in scans.

Whenever someone cracks your code for the key encryption algorithm, then they win. Period.

IMO, in this situation you have to affix value as an ROI to an operation. The ROI is the return on investment - your time, money, and effort.

There is always somebody who will claim such and such can be cracked. This is fog.
Unless forward perfect secrecy is mandated take a value-based approach.

And if theoretical cracking may be true: are you providing code where FIPS 140-3 is mandated? FIPS 140-3 - Wikipedia, the free encyclopedia

If not mandated, then what you try to do is make it hard to crack what you have done to encrypt things. Is it worth the costs of getting to perfect? - if it exists.

If you use a decent block cipher, you are good. If somebody can reverse engineer code, or get your source easily, then most things you can do are pointless. Shell coders love source. That is the ROI I'm talking about. Spend resource in several areas for much bigger return.

This is a values call, not something completely subject to theorematic analysis. It ain't black and white.

And. key-keeping and encryption is only 1/20th of security. User hygiene (keep malware off user desktops), least privilege, password quality and ageing, and all sorts of physical security methods are required, i.e., VPN, firewall, DMZ, carefully controlled access to tapes and data centers, locked doors and file cabinets, etc.

Bottomline:
Make it hard enough on the bad guys so they go somewhere else.
If the equivalent of a stuxnet is attacking your system, you are dead. No matter what you do.
 

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Passwords

I am running unix 11.xxx....How do you change a user password. The previous vs was passwd at the command prompt. This no longer works. Thanks for the help (3 Replies)
Discussion started by: turner.rd
3 Replies

2. Shell Programming and Scripting

Hide Passwords

Is there a way not to display the password in the sys out when your korn shell script logs into sqlplus? (3 Replies)
Discussion started by: lesstjm
3 Replies

3. UNIX for Dummies Questions & Answers

sqlplus and passwords

Hope I'm in the right place to ask this. ... and I'm a total noob by the way. When changing an account password through telnet, everything seems fine. I can telnet back in afterward, but if I try to use sqlplus to get in it tells me password invalid. If I try to get in through sqlplus with the... (1 Reply)
Discussion started by: tazman4
1 Replies

4. AIX

passwords encryption

I want to store a password of a user in a encrypted format and the use that encrypted password in my shell scripting. can any one of you let me know how to do it. Thanks in advance (0 Replies)
Discussion started by: kalpana.anuga
0 Replies

5. UNIX for Advanced & Expert Users

About unix passwords.

How the unix is maintaining the password ? How it does the encryption and how the passwords are stored in the system and where it is stored ? How it is better when compared to other OS ? (1 Reply)
Discussion started by: nagalenoj
1 Replies

6. OS X (Apple)

Storing ssh passwords/keys in keychain

Can anyone tell me how to set up ssh and keychain so when I connect to the remote system it uses keychain for the password or public key? The remote system is FreeBSD 8.0. Do I need to setup anything else on that end? Cheers. (0 Replies)
Discussion started by: Haggardly
0 Replies

7. Shell Programming and Scripting

passwords

Dear all, I need to automate/script a user password change process. I'm helpless cannot use expect since it's not installed and cannot install it either. Do i have an alternative. I can store the password in a file and that would be the password that would be set to all the users. If not i don't... (1 Reply)
Discussion started by: earlysame55
1 Replies

8. UNIX for Advanced & Expert Users

When did UNIX start using encrypted passwords, and not displaying passwords when you type them in?

I've been using various versions of UNIX and Linux since 1993, and I've never run across one that showed your password as you type it in when you log in, or one that stored passwords in plain text rather than encrypted. I'm writing a script for work for a security audit, and two of the... (5 Replies)
Discussion started by: Anne Neville
5 Replies

9. HP-UX

Passwords and shadows

version 11.22 1 - In this version there is the shadow file by default?. If so why when I search the file I get "No / etc / shadow file found"? 2 - What does the "*" in etc / password? at the beginning of each password? (1 Reply)
Discussion started by: shinju15
1 Replies

LEARN ABOUT DEBIAN

rngtest

RNGTEST(1)						      General Commands Manual							RNGTEST(1)

NAME

       rngtest - Check the randomness of data using FIPS 140-2 tests

SYNOPSIS

       rngtest [-c n | --blockcount=n] [-b n | --blockstats=n] [-t n | --timedstats=n] [-p | --pipe] [-?] [--help] [-V] [--version]

DESCRIPTION

       rngtest works on blocks of 20000 bits at a time, using the FIPS 140-2 (errata of 2001-10-10) tests to verify the randomness of the block of
       data.

       It takes input from stdin, and outputs statistics to stderr, optionally echoing blocks that passed the FIPS tests to stdout (when operating
       in pipe mode).  Errors are sent to stderr.

       At  startup,  rngtest will throw away the first 32 bits of data when operating in pipe mode.  It will use the next 32 bits of data to boot-
       strap the FIPS tests (even when not operating in pipe mode).  These bits are not tested for randomness.

       Statistics are dumped to stderr when the program exits.

OPTIONS

       -p, --pipe
	      Enable pipe mode.  All data blocks that pass the FIPS tests are echoed to stdout, and rngtest operates in silent mode.

       -c n, --blockcount=n (default: 0)
	      Exit after processing n input blocks, if n is not zero.

       -b n, --blockstats=n (default: 0)
	      Dump statistics every n blocks, if n is not zero.

       -t n, --timedstats=n (default: 0)
	      Dump statistics every n secods, if n is not zero.

       -?, --help
	      Give a short summary of all program options.

       -V, --version
	      Print program version

STATISTICS

       rngtest will dump statistics to stderr when it exits, and when told to by blockstats or timedstats.

       FIPS 140-2 successes and FIPS 140-2 failures counts the number of 20000-bit blocks either accepted or rejected by  the  FIPS  140-2  tests.
       The  other  statistics  show  a	breakdown of the FIPS 140-2 failures by FIPS 140-2 test.  See the FIPS 140-2 document for more information
       (note that these tests are defined on FIPS 140-1 and FIPS  140-2  errata  of  2001-10-10.  They	were  removed  in  FIPS  140-2	errata	of
       2002-12-03).

       The speed statistics are taken for every 20000-bit block trasferred or processed.

EXIT STATUS

       0 if no errors happen, and no blocks fail the FIPS tests.

       1 if no errors happen, but at least one block fails the FIPS tests.

       10 if there are problems with the parameters.

       11 if an input/output error happens.

       12 if an operating system or resource starvation error happens.

SEE ALSO

       random(4), rngd(8)

       FIPS PUB 140-2 Security Requirements for Cryptographic Modules, NIST,
	      http://csrc.nist.gov/cryptval/140-2.htm

AUTHORS

       Henrique de Moraes Holschuh <hmh@debian.org>

rng-tools 2-unofficial-mt.14					    March 2004								RNGTEST(1)
All times are GMT -4. The time now is 10:22 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy