Tom Olzak

It isn’t the algorithm, it’s the admin…

In Access Controls, Password Management, SHA on February 18, 2013 at 19:04

In a recent Threat Post article, Dennis Fisher writes about a competition to find a new password hashing algorithm.  Actually, I thought we had enough.  Let’s see… we have SHA-2 and SHA-3 (just approved by NIST), so what is the rush for a new one?  It seems the supporters of this competition believe their efforts will help stop use of unencrypted password stores.  Really?

The problem is not with hashing algorithms.  Rather, it is with the questionable reasoning of administrators or business managers that can’t seem to understand the need to scramble passwords in storage or in transit.  It also exists in the mental voids where managers seem to justify weak passwords and weak prevention, detection, and response controls.  We have the hash algorithms we need; we just need to use them. But even if a better algorithm is found, who is going to make people use it?  SHA-1 might be weak, but it’s betting than nothing.  SHA-2 is still effective, and SHA-3 is waiting in the wings for deployment (http://valerieaurora.org/hash.html).

Yes, faster is better.  Stronger is better.  But getting people to do the right thing requires more than a better, faster algorithm.

Comments are closed.

%d bloggers like this: