Of History & Hashes: A Brief History of Password Storage, Transmission, & Cracking by Adrian Crenshaw.
From the post:
A while back Jeremy Druin asked me to be a part of a password cracking class along with Martin Bos. I was to cover the very basics, things like “What is a password hash?”, “What types are there?”, and “What is the history of passwords, hashes and cracking them?”. This got me thinking about a paper I read in school that pretty much outlines most of the mistakes made in the handling of passwords and crypto over the almost four decades since it was written. I think a lot of academic InfoSec papers end up being self-indulgent navel gazing, but if this paper, “Password Security: A Case History – Robert Morris & Ken Thompson”, published on April 3, 1978 had been read by more people, many password storage problems would have been avoided. A great deal of people think of information security as being an ever moving field where you have to constantly catch up, and it does have those aspects, but many problems and concepts go way back and people make the same sorts of mistakes over and over again. The way I like to put it is, “Software vulnerabilities generally get patched, but bad design decisions and recurring configuration mistakes are forever”. Were this Sunday School, I’d reference Ecclesiastes 1:9. In this post (and an upcoming talk at ShowMeCon) I’m going to pontificate about password history and mistakes in password handling that people might not have made if they read up on password history.
…
I’m biased because I like computer history and design issues but I think this is a great read. Just enough detail to keep your interest but no so much that you can’t keep track of the story line.
Adrian finishes up with a set of links to other resources on password history.
Do you want to avoid prior password design issues or no?
I first saw this in a tweet by InfoSec Taylor Swift.
PS: Ecclesiastes 1:9.