08.Dec.10The savannah.gnu incident and the SibylThe savannah.gnu.org compromise in December 2010 is another example of the weakness of system passwords: there will always be someone using a brute-force attackable key. And that is the weakest link. I just want to point out to all our readers out there that the Sibyl is precisely an idea to implement a secure way to store hashes of passwords and prevent brute-force attacks. It is not computationally cheap or even the simplest of setups, but security has a price. At least, it is, but for the hardware part, which depends on your implementation, 'gratis' and BSD-licenced. Hope you like it.
04.Aug.10The SibylThe Sibyl is a project invented and implemented by Pedro (pfortuny) and me (rafacas). Although I have to admit that it was Pedro's idea. It started with the goal of secure storage of the shadow file and, in general, of any database of secret authentication tokens (think of passwords -actually hashes of passwords- of users of a Web-based service, for example). We consider it addresses the main concern on those databases: dictionary attacks and rainbow tables, which have become available at negligible cost: there is a cloud-based service for doing dictionary attacks on a WPA key. Our approach for storing shadow files ...