Publications

Tools

  • List of Volatility Plugins
    Leading the Open-source memory analysis field (Forensic, IR, exploit dev)
  • IDA Toolbag
    Excellent new set of tools for IDA PRO
  • Inception
    Upto-date Firewire Toolchain to dumping memory over the firewire interface. This allows also to unlock locked workstations as Firewire, per design, allows full access to memory over DMA.
  • Cryptshark
    .NET library using  Blowfish, BCrypt, SCrypt, and PBKDF2 for any HMAC - following my blog post on how to store password securely, if your into .NET give it a look.

Flame

News

Tools / Techniques

Flame / Malware

Microsoft's Certificate Fiasco

Misc


Introduction

Due to the latest row of high profile websites being compromised and parts of the password hashes being published here's a quick crash course on storing passwords "securely", for those that want a quick heads up. In this case I'd define securely as "Offering a suitable time window of resistance against recovery after being compromised". I will keep this post short and sweet and use links where possible for those interested in more information.

Update:  After reading this blog post read the interview of Brian Krebs with Thomas H. Ptacek on the matter. 
Update: Wrong bcrypt link fixed, update the Year bcrypt was presented.

 

Details

Putting things into perspective, below are the most common forms of storing passwords (order from worse to best) :
  • Storing credentials in clear text
  • Storing credentials using a hash (MD5, SHA, SHA256) 
  • Storing credentials using unique salt per entry and a hash (MD5, SHA, SHA256)
  • Storing credentials using bit/key stretching mechanisms or being overall time expensive (PBKDF2, bcrypt, scrypt, phpass)

My Reads

News Articles
Miscellaneous