Another security question

[Paul Rubin]

Chris Angelico <rosuav at gmail.com> writes:
> Solution: Don't use dictionary-attackable passwords. 

If you allow people to choose their own passwords, they'll too-often
pick dictionary-attackable ones; or even if they choose difficult ones,
they'll use them in more than one place, and eventually the weakest of
those places will eventually leak it.  At that point it can be tried
against whatever other hashes the attacker collected.

The -real- right thing to do is use a secret-keyed hash function like
HMAC-whatever, but that gives you a chicken-and-egg problem of how to
get the secret into the system and prevent it from escaping, when you've
postulated that the hashed passwords might escape.  That's doable
through hardware approaches like external crypto modules, TPM, secure
enclaves in the CPU, etc.; but none of that is very widely deployed at
the moment, and it brings its own unattractiveness.