Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Lets assume I want to give my hypothetic 10mio users userbase a good feedback on

ID: 660537 • Letter: L

Question

Lets assume I want to give my hypothetic 10mio users userbase a good feedback on their password strength. Besides the classical entropy tests and top500 list of bad passwords, I might want it to be based on "there are already more than N users with the same password" (for N maybe 100).

So aside of the state-of-the-art multiround salted hashed password stuff I naively store a big table with password:counter pairs (and maintain it through password changes) and tell the user his password is bad when that counter reaches N. Now of course this defeats my good password hash management: whoever gets that table has all the possible passwords and can just try them trivially. I could hash them, which would just add some time factor far too small to be secure.

So how can I (if at all) maintain any statistics that will allow me to have these counters (or something similar enough with not too many false positives) without the statistics data being more of a security risk when exposed than the table of password hashes?

Explanation / Answer

Hashing is not a foolproof mechanism to deter security attacks. Maintaining the statistics in a table, even after hashing, would pose a higher risk than solution. Even if you decide to go ahead with storing the hashed passwords in the database, ensure that salting is carried out in the hashing mechanism. Salting provides the use of not a single but various hash functions to encrypt the given data. These are very powerful in deterring rainbow or parallel security attacks. MD5, the most preferred hashing function, does not safeguard against parallel attacks. More powerful hashing functions that use salt such as PBKDF2 and scrypt. An additional safeguard would be to store the hashed password on the individual client machine instead of storing it on the server.

Related Questions

Let\'s start with the basis omega_1 = (5, 2) and omega_2 = (1, 12) for R^2, and
Question #3036861
Let\'s start with the basis w_1 = (5, 2) and w_2 = (1, 12) for R^2, and let w be
Question #3036895
Let\'s start with the basis w_1 = (5, 2) and w_2 = (1, 12) for R^2, and let w be
Question #3037028
Let\'s suppose that a species of mosquito has two different types of simple tran
Question #324370
Let\'s suppose that there is a locus (denoted by P) that controls fruit colorati
Question #267048
Let\'s suppose we run a company that manufactures baby food. It is essential tha
Question #3022953
Let\'s suppose you have $1 million to invest. You are considering to invest in U
Question #2597335
Let\'s take CodeReview page as an example. If you go here, you will see the list
Question #650655

Navigate

Previous
Letitia borrowed $6,000 from her bank 2 years ago. The loan term is 4 years. Eac
Next
Lets assume the US and Singapore can only produce two goods: Let\'s assume that

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.