Jump to content

Password Management

The Gathros
 Share
Posted

I was watching How Do Passwords Get Stolen? and I could not help but voice that passwords should never be encrypted on a server for login; as linus said they do.

Quote
if an attacker exploit vulnerabilities in a server security and is able to find encrypted passwords they could break the encryption if it's not sufficiently strong if the password themselves aren't very long.

(directly taken from the transcript)

(BTW I am not an expert nor that good at web server administation but I have looked into it as a mild interest)

Link to comment
https://linustechtips.com/topic/625372-password-management/
Share on other sites
Link to post
Share on other sites
Posted

So you'd rather they be in plain text where the attacker will have no work to do to get all the data?

Sorry but that's just foolish. Sony used to not encrypt their stuff, see what happened when they got hacked and suddenly millions of user account, including credit card numbers, were out there fresh for the taking.

Encryption is good. Long and Strong passwords are great, but if the attacker only needs to access the server and suddenly has the passwords of every users, in plain text, that strong password is completely useless. Let the attacker work for it if he/she wants your passwords badly enough that they are willing to spend a couple hours/days/months trying to decrypt a truly strong encryption.

CPU: AMD Ryzen 3700x / GPU: Asus Radeon RX 6750XT OC 12GB RAM: Corsair Vengeance LPX 2x16GB DDR4-3200
MOBO: MSI B450m Gaming Plus NVME: Corsair MP510 240GB / Case: TT Core v21 PSU: Seasonic 750W / OS: Bazzite

Link to comment
https://linustechtips.com/topic/625372-password-management/#findComment-8071483
Share on other sites
Link to post
Share on other sites
Posted
12 minutes ago, The Gathros said:

I was watching How Do Passwords Get Stolen? and I could not help but voice that passwords should never be encrypted on a server for login; as linus said they do.

(directly taken from the transcript)

(BTW I am not an expert nor that good at web server administation but I have looked into it as a mild interest)

ummm.... no. It being encrypted at the least takes more time to get it done. 

 

CPUFX 8320, Motherboard ASUS M5A78L-M/USB3 Socket AM3+ AMD, RAM g.skill ripjaws x series (2x8gb), GPUstrix gtx 970, Storage 500gb + 500gb + 250 ssd, PSU EVGA 600w B 80 PLUS BRONZE, Display(s) ASUS VG248QE 24"+ Hisense 24" + Vizio 24", Cooling Cooler Master Hyper 212 EVO, PC Part Picker  http://pcpartpicker.com/p/LFxQ23

 

Link to comment
https://linustechtips.com/topic/625372-password-management/#findComment-8071488
Share on other sites
Link to post
Share on other sites
Posted

Any password can be brute force hacked, it's only a matter of time. The basic reason for encrypting passwords and using hashing algorithms is to hopefully make it so difficult/take so much time that a hacker will just give up and move on to another target.

END OF LINE

-- Project Deep Freeze Build Log --

Quote me so that I always know when you reply, feel free to snip if the quote is long. May your FPS be high and your temperatures low.

Link to comment
https://linustechtips.com/topic/625372-password-management/#findComment-8071510
Share on other sites
Link to post
Share on other sites
Posted
  • Author
2 minutes ago, DevilishBooster said:

Any password can be brute force hacked, it's only a matter of time. The basic reason for encrypting passwords and using hashing algorithms is to hopefully make it so difficult/take so much time that a hacker will just give up and move on to another target.

I agree but you can steal the key too as your already in the server; so hashing is better to use then standard encryption.

Link to comment
https://linustechtips.com/topic/625372-password-management/#findComment-8071523
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, The Gathros said:

I agree but you can steal the key too as your already in the server; so hashing is better to use then standard encryption.

If they can get in and install a keylogger, yes. Its also possible to have malware scan the drive(s) of a system and copy any keys stored in plain-text, but if you are storing your encryption keys in plain-text then I think you have bigger security issues to worry about....

END OF LINE

-- Project Deep Freeze Build Log --

Quote me so that I always know when you reply, feel free to snip if the quote is long. May your FPS be high and your temperatures low.

Link to comment
https://linustechtips.com/topic/625372-password-management/#findComment-8071546
Share on other sites
Link to post
Share on other sites
Posted
  • Author
3 minutes ago, DevilishBooster said:

If they can get in and install a keylogger, yes. Its also possible to have malware scan the drive(s) of a system and copy any keys stored in plain-text, but if you are storing your encryption keys in plain-text then I think you have bigger security issues to worry about....

Im not sure what your saying.( it has nothing to do with you)

Link to comment
https://linustechtips.com/topic/625372-password-management/#findComment-8071565
Share on other sites
Link to post
Share on other sites
Posted
2 minutes ago, The Gathros said:

Im not sure what your saying.( it has nothing to do with you)

Basically what I'm saying is that you can have the best cyber security technology in the world, but it all comes down to human error. A keylogger will allow a hacker to monitor and record all the activity on your computer, including the generation of encryption keys. Also, if you have people in your IT dept storing the encryption key(s) in plain text where malware can easily identify it and not using an encryption key management system that means they are inept/lazy/stupid and any breach of security would be their fault, not the fault of a poor encryption key. Human nature/human error will always be the weakest point in a secure system. 

END OF LINE

-- Project Deep Freeze Build Log --

Quote me so that I always know when you reply, feel free to snip if the quote is long. May your FPS be high and your temperatures low.

Link to comment
https://linustechtips.com/topic/625372-password-management/#findComment-8071604
Share on other sites
Link to post
Share on other sites
Posted
  • Author
2 minutes ago, DevilishBooster said:

Basically what I'm saying is that you can have the best cyber security technology in the world, but it all comes down to human error. A keylogger will allow a hacker to monitor and record all the activity on your computer, including the generation of encryption keys. Also, if you have people in your IT dept storing the encryption key(s) in plain text where malware can easily identify it and not using an encryption key management system that means they are inept/lazy/stupid and any breach of security would be their fault, not the fault of a poor encryption key. Human nature/human error will always be the weakest point in a secure system. 

I agree; I just wanted to say what eperts do to store passwords. BTW I got this information for a computerphile video and did further reseach.

Link to comment
https://linustechtips.com/topic/625372-password-management/#findComment-8071632
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programs, Apps and Websites

×