Storing Passwords Post: 302928982

Sponsored Content

Top Forums Web Development Storing Passwords Post 302928982 by jim mcnamara on Tuesday 16th of December 2014 04:44:55 PM

12-16-2014

Registered User

My only comment is:

Key management is an absolute pain in the butt.

Regarding keys -- When not in use (ie standing somewhere) the half-keys should be encrypted - both on the user side and the system side. Otherwise they are sitting ducks. Largely for internal attacks. Because internal people are less likely to set off security alarms or be seen in scans.

Whenever someone cracks your code for the key encryption algorithm, then they win. Period.

IMO, in this situation you have to affix value as an ROI to an operation. The ROI is the return on investment - your time, money, and effort.

There is always somebody who will claim such and such can be cracked. This is fog.
Unless forward perfect secrecy is mandated take a value-based approach.

And if theoretical cracking may be true: are you providing code where FIPS 140-3 is mandated? FIPS 140-3 - Wikipedia, the free encyclopedia

If not mandated, then what you try to do is make it hard to crack what you have done to encrypt things. Is it worth the costs of getting to perfect? - if it exists.

If you use a decent block cipher, you are good. If somebody can reverse engineer code, or get your source easily, then most things you can do are pointless. Shell coders love source. That is the ROI I'm talking about. Spend resource in several areas for much bigger return.

This is a values call, not something completely subject to theorematic analysis. It ain't black and white.

And. key-keeping and encryption is only 1/20th of security. User hygiene (keep malware off user desktops), least privilege, password quality and ageing, and all sorts of physical security methods are required, i.e., VPN, firewall, DMZ, carefully controlled access to tapes and data centers, locked doors and file cabinets, etc.

Bottomline:
Make it hard enough on the bad guys so they go somewhere else.
If the equivalent of a stuxnet is attacking your system, you are dead. No matter what you do.

jim mcnamara

View Public Profile for jim mcnamara

Find all posts by jim mcnamara

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Passwords

I am running unix 11.xxx....How do you change a user password. The previous vs was passwd at the command prompt. This no longer works. Thanks for the help

2. Shell Programming and Scripting

Hide Passwords

Is there a way not to display the password in the sys out when your korn shell script logs into sqlplus?

3. UNIX for Dummies Questions & Answers

sqlplus and passwords

Hope I'm in the right place to ask this. ... and I'm a total noob by the way. When changing an account password through telnet, everything seems fine. I can telnet back in afterward, but if I try to use sqlplus to get in it tells me password invalid. If I try to get in through sqlplus with the...

4. AIX

passwords encryption

I want to store a password of a user in a encrypted format and the use that encrypted password in my shell scripting. can any one of you let me know how to do it. Thanks in advance

5. UNIX for Advanced & Expert Users

About unix passwords.

How the unix is maintaining the password ? How it does the encryption and how the passwords are stored in the system and where it is stored ? How it is better when compared to other OS ?

6. OS X (Apple)

Storing ssh passwords/keys in keychain

Can anyone tell me how to set up ssh and keychain so when I connect to the remote system it uses keychain for the password or public key? The remote system is FreeBSD 8.0. Do I need to setup anything else on that end? Cheers.

7. Shell Programming and Scripting

passwords

Dear all, I need to automate/script a user password change process. I'm helpless cannot use expect since it's not installed and cannot install it either. Do i have an alternative. I can store the password in a file and that would be the password that would be set to all the users. If not i don't...

8. UNIX for Advanced & Expert Users

When did UNIX start using encrypted passwords, and not displaying passwords when you type them in?

I've been using various versions of UNIX and Linux since 1993, and I've never run across one that showed your password as you type it in when you log in, or one that stored passwords in plain text rather than encrypted. I'm writing a script for work for a security audit, and two of the...

9. HP-UX

Passwords and shadows

version 11.22 1 - In this version there is the shadow file by default?. If so why when I search the file I get "No / etc / shadow file found"? 2 - What does the "*" in etc / password? at the beginning of each password?

LEARN ABOUT ULTRIX

setkey

crypt(3)						     Library Functions Manual							  crypt(3)

Name
       crypt, crypt16, setkey, encrypt - DES encryption

Syntax
       char *crypt(key, salt)
       char *key, *salt;

       char *crypt16(key, salt)
       char *key, *salt;

       void setkey(key)
       char *key;

Description
       The  subroutine is the password encryption routine.  It is based on the NBS Data Encryption Standard, with variations intended to frustrate
       use of hardware implementations of the DES for key search.

       The first argument to is normally a user's typed password.  The second is a 2-character string chosen from the set [a-zA-Z0-9./].  The salt
       string  is  used to perturb the DES algorithm in one of 4096 different ways, after which the password is used as the key to encrypt repeat-
       edly a constant string.	The returned value points to the encrypted password, in the same alphabet as the salt.	The first  two	characters
       are the salt itself.

       The subroutine is identical to the function except that it will accept a password up to sixteen characters in length. It generates a longer
       encrypted password for use with enhanced security features.

       The other entries provide primitive access to the actual DES algorithm.	The argument of is a character array of length 64 containing  only
       the characters with numerical value 0 and 1.  If this string is divided into groups of 8, the low-order bit in each group is ignored, lead-
       ing to a 56-bit key which is set into the machine.

       The argument to the entry is likewise a character array of length 64 containing 0s and 1s.  The argument array is modified in  place  to  a
       similar	array  representing the bits of the argument after having been subjected to the DES algorithm using the key set by If edflag is 0,
       the argument is encrypted; if non-zero, it is decrypted.

Restrictions
       The return values from and point to static data areas whose content is overwritten by each call.

Environment
   Default Environment
       In the default environment on systems that do not have the optional encryption software installed the function expects  exactly	one  argu-
       ment,  the data to be encrypted. The edflag argument is not supplied and there is no way to decrypt data.  If the optional encryption soft-
       ware is installed the function behaves as it does in the POSIX environment.  The syntax for the default environment follows:
	    void encrypt(block)
	    char *block;

   POSIX Environment
       In the POSIX environment the encrypt function always expects two arguments.  The function will set errno to ENOSYS and return if edflag	is
       non-zero and the optional encryption software is not present.  The syntax for the POSIX environment follows:
	    void encrypt(block, edflag)
	    char *block;
	    int edflag;

       In all cases the function will set errno to ENOSYS and return if the optional encryption software is not present.

See Also
       login(1), passwd(1), yppasswd(1yp), getpass(3), auth(5), passwd(5), passwd(5yp)
       ULTRIX Security Guide for Users and Programmers

																	  crypt(3)