Re: Hashed password secure?

From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 06/30/04

• Next message: flip: "Re: Scientific books: cheap sell-out of the library"
• Previous message: nemo outis: "Re: How secure is SSL emails?"
• In reply to: Matthijs Hebly: "Re: Hashed password secure?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 30 Jun 2004 00:50:01 +0000 (UTC)

Matthijs Hebly <heeb@iname.com> writes:

]Bill Unruh schreef:
]>
]> ]Correction: my suggestyion would run it
]> ]*Random(SomeNumberDependentOnCPUSpeed)* times. Which, IMHO, makes it
]> ](almost) impossible for some attacker to create a dictionary of hashes
]>
]> It also makes it completely non-portable. And has the danger that when you
]> replace your machine, suddenly no password, including root's, works.
]I don't see how this is in any way platform dependent...
]Why is hashing in itself platform *in*dependent, but hashing a random
]number of times, or with a random salt suddenly platform *dependent*?!?

Because hashing is a deterministic procedure which is the same on all
platforms, but hasing a fixed number of times depending on the platform is
by definition platform dependent. I assume you mean that you feed the
output of the hash back into the input. If not, then the massive number of
hashes are completely irrelevant because the attacker would simply write a
routine which got rid of all of the irrelevant hashes. (You MUST assume
that the breaking will occur on a different machine from the one you run it
on-- a machine which could be much faster, have more memory and have a
highly optimised version of the password program.)

]Plz explane.

]> Bad idea.
]Thanx. I'll implement it anyway, and let you know how it works...

And how would you know whether it is broken by someone? Crypto, and
verification, are fields in which success is not obvious from the output.

• Next message: flip: "Re: Scientific books: cheap sell-out of the library"
• Previous message: nemo outis: "Re: How secure is SSL emails?"
• In reply to: Matthijs Hebly: "Re: Hashed password secure?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: VBA and VSTO ... so I am not dependent to what the user have installed of ... Is my code in VBA in a high level portable to the new ... (microsoft.public.excel.programming) Re: Cross Platform Development ... On GNU/Linux, applications can and do ... widely-used languages on the platform. ... Would you really be happy to be completely dependent ... If the problem is that you want to write closed-source code, ... (uk.comp.os.linux) Re: CETK - Rebuilding the Touch Screen test in Kernel mode ... **Am launcing the touchtest from CETK where we have changed the ... so in the blogs it was written that to run the touchtest in kernel ... PB Debugger Loaded symbols for 'C:\PROGRAM FILES\MICROSOFT PLATFORM ... dependent module could not be found. ... (microsoft.public.windowsce.platbuilder) How many active Threads is possible? ... not a language question: ... How many active threads can I create? ... Of course, it is dependent on the platform and the VM implementation, ... (comp.lang.java.programmer) Re: Hashed password secure? ... And has the danger that when you ... I don't see how this is in any way platform dependent... ... Why is hashing in itself platform *in*dependent, ... or with a random salt suddenly platform *dependent*?!? ... (sci.crypt)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint