Re: Newbie - Login Password Processing?



On Sep 22, 4:51 pm, Thomas <thomas.benet...@xxxxxxxx> wrote:
Does this make sense?  Is it overkill?

Yeah, it's overkill to do 50000 iterations in my opinion. It doesn't
feel right, and SHA256 was designed to be secure with just one
iteration of the hash function ... if you're doing this to increase
the time required to brute-force the key, then remember that in the
first place you are using a cryptographically secure hash function
along with a nice salt, so it's pretty much pointless. IMHO it looks
cool but is not.

I can't tell if you're advocating not iterating, but if so then I'd
have to disagree. Modifying dumbbrute (a crypt() bruteforcer) to deal
with straightforward SHA512 rather than the 5000 rounds of it normally
used when given a $6$.... salt definitely increases the ease with
which we can recover a given password. If you're just saying that 50k
is probably too much, I'm not sure I see a downside to doing that many
but if it gets to be a problem for you I doubt trimming it back would
lead in any straightforward way to a compromise.

Geremy Condra


.