Abstract: | Password hashing is a Big Headache, and doing it right is complicated |
Quote: | “Note that none of the C++11 random number engines (LCG, Mersenne-Twister, or Lagged Fibonacci) can be considered good enough for cryptographic purposes – in short, they’re way too predictable and can be broken by a determined attacker, given enough output has leaked.” |
[→] |
Assorted Rants Tagged ‘Password’, page 1:
Client-Plus-Server Password Hashing as a Potential Way to Improve Security Against Brute Force Attacks without Overloading the Server
Abstract: | Client-Side password hashing (in addition to existing server-side hashing) can improve resilience to brute-force attacks. |
Quote: | “Even if client-side is 10x slower than server-side, it leaves us with 10x improvement which is certainly a good thing to have” |
[→] |
Part VIIb: Security (concluded) of 64 Network DO’s and DON’Ts for Multi-Player Game Developers
Quote: | “What is practically very important – is to keep all the “unsanitized” data in one place.” |
Another Quote: | “What will happen if attacker got the whole database of your users’ passwords?” |
[→] |