3. NIST’s new password rules – what you need to know

NIST’s new password rules – what you need to know

Unfortunately, your arguments may seem logical to someone unfamiliar with hashing. I'll explain the key flaws in your concerns:

1: Hash collisions Depending on your hashing algorithm, you'll have a hash length of 32, 40, 64 characters/digits (among other combinations). This can't possibly be unique for every single file of every possible length - it's mathematically impossible. That's not the intent of hashing, and that fact a cornerstone of understanding cryptography (and cryptographic weaknesses). So, no, it does not reduce the protection provided at all, unless you're one of the security through obscurity folk who is proposing that the hashing algorithm is kept secret from the clients. But please explain any scenarios where a compromise of the server and stored hashes would not result in a compromise of the hashing algorithm.

2: YES! Hashes are essentially the password for the user account. This is how all authentication that does not rely on a key exchange/handshake works. I'm glad you've realized this. In fact, this is a very old attack in some poorly designed systems that use handshakes (e.g.: Microsoft's NetNTLM https://en.wikipedia.org/wiki/Pass_the_hash).

3: You state: "Additionally, a compromised server could easily alter the hashing code to push out the original password file for sniffing anyway" I'm trying to make sure I haven't misinterpreted, so let me give this a shot. You're proposing that a hacker might modify the libraries used to perform the hashing process on the server in order to bypass the need to attempt doing offline attacks against the hashes it stores? Wasn't your argument that doing server side hashing is somehow safer? This statement of yours directly conflicts with that argument. I'll toss this one in here too - if a hacker controls the server, the much more direct route would be scraping the fields as they're populated (first way that comes to mind is to add javascript to the page) or, in this case, modify the file upload process to make a copy of the file.

In all cases, your final point is completely flawed - and is the fundamental reason that client side hashing is better for performance AND for security - "If the server can't be trusted, you can't trust anything else that's touched it either." You're right, so why would I want to give a server my actual password/passfile/authentication details instead of a one way hash of those files?

/r/sysadmin Thread Parent Link - nakedsecurity.sophos.com
Previous
Next

Recently removed from /r/sysadmin

I know of a crazy vulnerable Exchange server at my old work. What to do? Details inside. Intune Windows LAPS - Configuration Profile Applies Successfully, Yet Nothing Happens...Why? Woman starting in IT next month. Should I be worried or not? How to run a meaningful CyberSecurity Risk Workshop/Assesment Amazon Outage I don't know what I'm doing and I need help What's the point of using BitLocker with TPM instead of password when someone can always access your computer without entering a password on boot? How many of you despise IoT? Onboarding 1200 New Users - how to communicate passwords? Gen Z also doesn't understand desktops. after decades of boomers going "Y NO WORK U MAKE IT GO" it's really, really sad to think the new generation might do the same thing to all of us Modern SQL Express Backup Solution [GA] Employee claims she can't use Microsoft Windows for "Religious Reasons" So I got a "correctional talk" yesterday. Rant about new age "senior" IT "specialists" who don't know how to wipe their butt. Do you think remote work is slowly dying? Most companies seem to be pushing RTO, even big tech you folks think ?

More Random Comments

If the devs decided to add new classes later on. What classes would you like to see?? South Korea risks a major population crash as the country marks its second consecutive year with the world's lowest fertility rate Would you be okay with this? Arcade Fire’s Win Butler Accused of Sexual Misconduct by Multiple Women; Frontman Responds YSK: Many “accelerated leadership” programs at big companies are a talent retention tool and have little impact on your own career path Investicijsko zlato 2hand sword & knight "High Isle" ETHSANY.INFO CRYPTO SCAMMERS Can we be treated as humans too? Thoughts getting stuck Especially if she showing off on social media How do you convince your long-distance girlfriend that spending quality time is essential for us to grow? biji biji apome Veterans day ceremony 2021 I wouldn't be able to afford a house anyway, but might give a try?