Posts with the tag passwords:
If you haven’t read Part 1please do so.Although the criticism of Part 2should be taken with a grain of XKCD Salt, and even the primary plaintiff admitted that it would take him 2 months to crack the final salted sha512. Usually your attacker shouldn’t have your shadow file, and having stored them as anything less is just plain not secure. I will acknowledge it has some merit.Doing a base64 transformation on hex only digits is a bad, idea, and does not have nearly enough possible combinations.
This has been prompted by Dave Jacoby’s post on generating passwordsand the fact that I’ve learned a new trick since my my first article in 2008; which you should read first (it’s a prereq).Some might point out that using a hex digest limits the characters that will be generated too much, do this then.echo -n “date” | sum | base64So let’s say you have to change your password every month. Pick a day, let’s say the second Tuesday of the month.
So I just had a discussion on #ubuntu-server on freenode about why my not having a password to connect to postgresql via a socket (read local cli) is insecure. So I asked them, how exactly is it that someone is going to get this access? The answer “there are bad people on the Internet”. I’m sure many people right now are agreeing with them and thinking I’m crazy. Let’s discuss my setup though shall we.
Update: I would suggest using a password manager like LastPass, or a long passphrase before this method now.
For the basic you need a calculator with a decimal to hex function. Your OS should have one built in (scientific mode), many calculator’s do to. For advanced you’ll need special hashing software, suggestions for it can be found below.
Windows: HashCalc Macintosh MacHash Linux/(*nix) Gnu Coreutils Now that we have the software we need.