Flagged, so let's repost my same message, but with the actual text from the article this time.
-----
Dumb, especially the second point which argues against hashing.
That mistake was their recommendations on how passwords should be stored. They recommended that systems should not store passwords, but instead assign each user a random “hash” function used to compute a number (the hash) from that users’ password.
Apparently, if I run a web service, I should store your actual passwords in - let's be generous and say an air-gapped vault.
the private key stored on a system detached from any network and safely behind locks, guards, and whatever other physical security measures one might dream of.
I should use RSA as the means to store this data (at rest).
With RSA, passwords could be hashed with a function that was one-way without the private key
This is so that I can later read everyone's passwords and use them to generate password policies.
Storing numeric hashes instead of the passwords can protect users whose passwords are hard to guess, but it also prevents scientists from examining those passwords to determine if there might be categories of common (weak) passwords that users should be discouraged, or prevented, from choosing.
Which is funny, because the first point was that password policies are a mistake.
First, was Morris and Thompson’s confidence that their solution, a password policy, would fix the underlying problem of weak passwords.
-----
Did I really strawman so hard as to be flagworthy?
> As a result of Morris and Thompson’s recommendations [of one-way hashing] and those who believed their assumptions without evidence, it was not until well into the 21st century that the scientific community learned just how ineffective password policies were.
Not sure about where the "scientific" community boundaries are, but I'm pretty sure that even in the pre-21st decades it was no secret among system administrators. They knew their users erred towards the most terrible passwords the system would permit.
Yes, they knew it was a problem because tools like John the Ripper, a password cracking software tool, were developed in the 1990s and showed that a lot of people used easily cracked passwords. (I mention that one because it's one I used back then, as a part-time sys admin.)
The part which makes the text correct (or at least "technically correct") is "just how ineffective". Password crackers couldn't analyze the uncracked passwords to tell you how effective they actually were, leaving doubt.
Flagged, so let's repost my same message, but with the actual text from the article this time.
-----
Dumb, especially the second point which argues against hashing.
Apparently, if I run a web service, I should store your actual passwords in - let's be generous and say an air-gapped vault. I should use RSA as the means to store this data (at rest). This is so that I can later read everyone's passwords and use them to generate password policies. Which is funny, because the first point was that password policies are a mistake. -----Did I really strawman so hard as to be flagworthy?
> As a result of Morris and Thompson’s recommendations [of one-way hashing] and those who believed their assumptions without evidence, it was not until well into the 21st century that the scientific community learned just how ineffective password policies were.
Not sure about where the "scientific" community boundaries are, but I'm pretty sure that even in the pre-21st decades it was no secret among system administrators. They knew their users erred towards the most terrible passwords the system would permit.
Yes, they knew it was a problem because tools like John the Ripper, a password cracking software tool, were developed in the 1990s and showed that a lot of people used easily cracked passwords. (I mention that one because it's one I used back then, as a part-time sys admin.)
The part which makes the text correct (or at least "technically correct") is "just how ineffective". Password crackers couldn't analyze the uncracked passwords to tell you how effective they actually were, leaving doubt.
[flagged]