Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #760

Adding Secure Passwords to Linux

Newsgroups comp.os.linux.security
Date 2022-07-28 11:25 -0700
Message-ID <b5a2266d-b904-4175-bbaf-a4e5139754bbn@googlegroups.com> (permalink)
Subject Adding Secure Passwords to Linux
From John Savard <quadibloc@gmail.com>

Show all headers | View raw

I just encountered an article saying that, since today's GPUs are so
powerful, there's no such thing as a secure password any more.
The death of the password is a bad thing, because smartphones
can get lost, broken, or bricked. Indeed, if people have to use
smartphones to log on to everything, they will be the new high-value
target.
However, Linux can set an example of how to make passwords work.
Using a GPU to brute-force a password requires an attacker
to have gotten a copy of the password file from the target
machine - that's how an attacker can try zillions of passwords, instead
of being locked out after three failed attempts, each of which took
several seconds.
So if one changed how password files stored passwords...
Use a better hash function.
Use 128-bit salt.
Use Blowfish encryption as a stage in the process.
So when a Linux system is installed, a random and unique key is
generated for the encryption phase in checking passwords against
the password file.
Of course, that unique key still has to be stored somewhere on the
system, so an attacker could still obtain it. Another possibility too...
*most* cryptographic algorithms today are careful to avoid any
conditional branch operations, because they're conducive to attacks
which grab the key by monitoring power consumption. But such an
algorithm - one that does use a lot of conditional branches - would be
hard to implement efficiently on a GPU.

John Savard

Back to comp.os.linux.security | Previous | NextNext in thread | Find similar

Thread

Adding Secure Passwords to Linux John Savard <quadibloc@gmail.com> - 2022-07-28 11:25 -0700
  Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2022-07-28 21:16 +0100
  Re: Adding Secure Passwords to Linux Marco Moock <mo01@posteo.de> - 2022-07-29 08:36 +0200
    Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-11 10:30 +0000
      Re: Adding Secure Passwords to Linux Allodoxaphobia <trepidation@example.net> - 2023-06-12 12:35 +0000
        Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-12 13:33 +0000
        Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2023-06-12 16:46 +0100
          Re: Adding Secure Passwords to Linux Bit Twister <BitTwister@mouse-potato.com> - 2023-06-13 08:10 -0500
            Re: Adding Secure Passwords to Linux "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2023-06-13 15:12 -0400
          Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-15 20:30 +0000
            Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2023-06-16 08:29 +0100
              Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-16 11:18 +0000
  Re: Adding Secure Passwords to Linux John McCue <jmccue@magnetar.jmcunx.com> - 2023-06-11 14:28 +0000

csiph-web