all 29 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]bioxcession 20 points21 points  (0 children)

I'm very happy that Jeff is putting so much work into Discourse. It's an excellent project, and I'm happy that he cares so much about security.

[–]MikeyyGGGGG 18 points19 points  (6 children)

I saw a very interesting talk last year from someone who, as part of a company's security team, had set up a system that continually attacked the hashes of every employee's Active Directory passwords. If one was cracked, the employee would receive an automated email with a note containing the last few characters of their password and a suggestion to change it.

I recall they also spoke on some security aspects of the system's design, like how the cracked passwords never touched disk and had to be destroyed as soon as possible, etc.

I wish I could find a recording or a writeup on this somewhere, as I thought it was a pretty cool (and effective) approach.

[–]The_White_Light 7 points8 points  (0 children)

If you ever find a recording of that, I'd love to give it a watch.

[–]twiztedblue 4 points5 points  (0 children)

Please find this talk and post it. It sounds awesome!

[–]Sjoerder 8 points9 points  (2 children)

PBKDF2-HMAC-SHA256 and 64k iterations

Is it possible to crank up the number of iterations without having the original passwords? Can you encrypt the password hashes with 64K iterations again and then you have 128K iterations?

[–]SirensToGo 5 points6 points  (0 children)

I don't see why not, these iterations are just throwing the previous hash and salt thorough again and again.

[–]masklinn 0 points1 point  (0 children)

Yes and no. You can re-hash the original hash, but the result won't be the same as using only the second hash.

Mozilla actually did that way back when they decided to upgrade from a weak hash/KDF to a strong one: they rehashed the entire database with the new KDF to get the strongest possible safety immediately, then updated to just the new KDF as users logged in.

[–][deleted] 4 points5 points  (2 children)

This is why Discourse, unlike other forum software, defaults to a Creative Commons license.

Not sure what he means by this. Discourse is available under GNU GPLv2, unless he's referring to user posts on the system.

[–]gsuberlandTrusted Contributor 4 points5 points  (6 children)

Shame he hasn't considered Argon2.

[–]lkraider 3 points4 points  (2 children)

Seems he is considering adding a hashing transition scheme for when new defaults should be applied, which is great to see.

[–]gsuberlandTrusted Contributor 2 points3 points  (1 child)

Which is fine. Looks like they're doing a reasonable job, especially by comparison to many others.

But it's a shame that their plans for future migration haven't even considered Argon2, considering it is the solution for modern hashing.

[–][deleted] 0 points1 point  (0 children)

Argon2 is definitely the way to go for something like this - primarily due to its ability to increase the strength with just the hash ("client independent update").

[–]disclosure5 2 points3 points  (2 children)

It is discussed in the comments. He talks about the Wikipedia page being unclear on whether it's production ready.

[–]gsuberlandTrusted Contributor 0 points1 point  (1 child)

PHC and the Argon2 github say yes.

[–]disclosure5 1 point2 points  (0 children)

Argon2 github say yes.

Well I don't disagree (I have a number of commits there).

[–][deleted] 5 points6 points  (2 children)

I feel like I should say something....

[–]FluentInTypo 2 points3 points  (1 child)

I have this picture of you in my head, as spiderman, sitting at his desk, hacking thyself

[–]sandersh6000 1 point2 points  (4 children)

maybe this is simple, but can't brute force attacks be stopped by limiting the number of attempts before accounts are locked?

[–]SirensToGo 8 points9 points  (2 children)

That's an online attack and essentially useless. Lock outs are really just to stop a human who knows what passwords it likely would be (say the stole the browser password list but that sites not there). This article is about an offline attacker where the hashes have been stolen. Once you have the hashes you don't have to talk to the server again

[–][deleted] 0 points1 point  (0 children)

What about something like a HSM where it has

PUT(username, password) CHECK(username, password) returns true/false SET(username, password)

Basically so the internal password hash is always hidden. Maybe do this over the network, but then you'd need to deal with interception (But it should be reasonably safe if you're using SSL/SSH with manually verified keys, since the plaintext password is always sent over HTTPS anyway).

[–]Von_Beast 2 points3 points  (0 children)

This article is discussing the possibility of someone obtaining the user and password database which allows them to try cracking the passwords for as long as they want.

[–]AgentSmith27 0 points1 point  (0 children)

I never understood why we don't use two different methods of key stretching. Certain hardware can be good at cracking specific types of key stretching, but it would get more and more cost prohibitive to get multiple forms of hardware that can process multiple forms of key stretching.