[lug] Application Password Security

[George Sexton]

I'm writing a password security update for some software. I'm going to a 
BCrypt algorithm which uses a salt, and an iteration count to transform 
the password. I would go to Argon2, but I'm just not seeing a Java 
implementation yet.

The software has historically had a feature that stops users from 
re-using passwords by keeping a history. If the password database is 
compromised, along with the password history, then I'm potentially 
serving up not only their current password, but historical ones as well.

The question I'm struggling with is what's the bigger security risk? 
Users re-using passwords, or my app keeping historical passwords. 
Although I'm making it pretty expensive to generate a dictionary, it 
still won't be impossible. I guess where I'm ending up is that the 
chance of BCrypt password being compromised is lower than the risk of a 
user cycling through the same (or small set) of passwords.

I would be interested in hearing what others think...

-- 
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.connectdaily.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20160620/fa22793f/attachment.html>