"unsalted one-way encrypted hashes"?
unsalted one-way encrypted hashes would have been bad enough
They certainly would be. Surely everyone knows that you should use at least two-way hashes, or possibly three-way (particularly for those secure porn sites).
Look, Reg writers, I know you have difficulty with this particular area of technology for some reason. But let's try it one more time:
- Hashes are always one-way, by the pigeonhole principle, except for the special case of "perfect" (collision-free) hashes. A perfect hash is only possible when the domain is no larger than the range, of course, which is theoretically not the case with any decent password system (one that allows passwords, or better passphrases, that are longer than the hash). In principle the set of passwords in a given security domain may be small enough, and the hash size large enough, for a perfect hash; but that's clearly undesirable. So "one-way ... hash" is redundant in this context.
- Further to the previous point: cryptographic hashes (aka "message digests") are always one-way. That's one of the criteria for cryptographic hashes.
- Hashing is not encryption. Of course, the phrase "encrypted hashes" is ambiguous here, and it's not clear whether Leyden is conflating hashing and encryption, or suggesting that hashes should be encrypted as well, as a minimum security measure. While there's some ground for arguing that encryption provides additional security, it's a pretty small branch of the attack tree (attacker has the resources to feasibly find preimages for salted hashes, and motivation to do so, but can't extract the key used to encrypt/decrypt them), and the same improvement can be had at less cost simply by adding another salting term that's not stored in the database. (In either case, the attacker has to extract a secret from the application.)
- Yes, salting ought to be employed, as has been discussed ad nauseum of late, when password hashes are used as the verifier for user credentials. (Of course there are other, better, verification schemes, such as those based on ZKPs, like SRP and PAK-RY, where salting doesn't apply.) So +1 for "unsalted" - but in the end "unsalted hashes", without "one-way encrypted", would have been better.