Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 15 Apr 2018 11:59:46 -0400
From: Arnold Reinhold <>
To: Jim Fenton <>
Cc:, Solar Designer <>
Subject: Re: keyed hash vs. encryption

> On Apr 13, 2018, at 6:08 PM, Jim Fenton <> wrote:
> ...
> I'm sure there are other organizations like that. Perhaps I should be preaching this in an RSA Conference talk next week, but wasn't sure if this was appropriate as a contractor (not a NIST representative).
> -Jim

Unsafe storage of password validation data is a massive security problem. This thread started with a discussion of how best to use a corpus of 300 million passwords that have become available as a result of cracking purloined password validation data. Presumably much larger numbers of passwords have been cracked by criminal organizations and hostile state actors. 

Unlike many security issues, this is a problem that has solutions that are feasible and affordable. Several are recommended in NIST SP800-63B.  I realize that NIST guideline are only normative for U.S. federal government agencies, however they have significant influence on the private sector. Most other organization, such as OWASP, have much less leverage in practice.

Even sticking to the IT activities of the Federal government, I would argue there is both a need and a mandate for improvement. Executive Order 13800, issued almost a year ago starts out saying “The executive branch operates its information technology (IT) on behalf of the American people. Its IT and data should be secured responsibly using all United States Government capabilities.” The revised SP800-63 can add significantly to those capabilities if its recommendations are implemented. At the very least it would be helpful to know what actions, if any, are underway to improve storage of password validation data in the Federal government and the private sector. 

Without revisiting SP800-63B, there is valuable work to be done within NIST. For example NIST provides separate guidance for the size of keys, salts, hashes, etc. to be used with NIST approved algorithms. Developing guidance for work factors to be used with resource-intensive hash algorithms (-63B mentions PBKDF2 and Balloon) would seem an appropriate follow-on effort. So would developing specific guidance on exactly how to transition or upgrade from one method for storing password validation data to another, e.g. by rehashing or encrypting older data. Specifying precisely the method to be used should be reasonably straightforward, yet having a worked through algorithm would save agencies time and cost while preventing implementation mistakes that could compromise security during the transition.

Jim, I realize you have limited influence at NIST, and I very much appreciate your taking the time to participate in this forum. But if there is some way you could generate interest in starting a discussion of these issues at RSA or within the federal government, perhaps by suggesting an informal meeting, I would be glad to help in anyway I could. 

Arnold Reinhold

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.