OK, here's the real problem that NOBODY seems to be grasping. The point of failure is the few sites that are already storing someone's email, username, and password in plain text.
Every other site on the planet can start encrypting, using salts, hashing, etc, but the site that will be attacked is the site that emails back passwords to their users in plain text when they use the "forgot my password" page.
Why would a hacker waste their time elsewhere? They will create an account, use the "forgot" form, and if they get their password back in plain text, they know they have a target rich database.
The ONLY true form of password protection once again lies in the hands of the USER who MUST create different passwords at every site if they really want their identity protected. Sorry. If you don't know how to keep your passwords in a protected database on your PC, learn.
After all, if a hacker is already in the database stealing passwords, they've got your data too if they want it. Might as well spend your time protecting your identity elsewhere.
When I was interviewing, an applicant showed me some code that didn't hash passwords -- that's exactly what I expect in a co-op student. I think there's two problems:
-it's too easy to take sample code off the web, and it's easier to take exactly what you want rather than some general pseudo code written by BSchneier
Every other site on the planet can start encrypting, using salts, hashing, etc, but the site that will be attacked is the site that emails back passwords to their users in plain text when they use the "forgot my password" page.
Why would a hacker waste their time elsewhere? They will create an account, use the "forgot" form, and if they get their password back in plain text, they know they have a target rich database.
The ONLY true form of password protection once again lies in the hands of the USER who MUST create different passwords at every site if they really want their identity protected. Sorry. If you don't know how to keep your passwords in a protected database on your PC, learn.
After all, if a hacker is already in the database stealing passwords, they've got your data too if they want it. Might as well spend your time protecting your identity elsewhere.