On Thursday 01 July 2010 07:43:38 William Stillwell (Lists) wrote: > Also, technically your "101This is a salt" is stronger than your SHA1 Hash. > > Let's say you stick with the "17 character password" > > You are using 0-9, a-z, A-Z, and space. > > 0-9 = 10 > a-z = 26 > A-Z = 26 > Space = 1 > Total Possible Values = 63 > > 17^63 = 3.2982384238829760312713680399948e+77 > > Your sha1 is using 0-9, a-f > > 0-9 = 10 > a-f = 6 > > 40^16 = 42949672960000000000000000
That would only be true if you used random characters in your 17-character passphrase. In fact, English text has somewhere between 0.6 and 1.5 bits of randomness per letter, whereas an SHA1sum has no more than 4 bits of randomness per letter. Let's assume the higher number of randomness for your English text, which gives us 1.5 * 17, which is 25.5 bits of randomness. Note that the prefix 3 characters have ZERO randomness per character, as they are deterministic from the extension. That gives an even less 21 bits of randomness. SHA1 cryptographic sums have no more than 160 bits of randomness. I say "no more than", because, given knowledge of the algorithm used to determine passwords, the sum is reduced to the number of bits of randomness in the source material. You cannot generate randomness by applying a deterministic algorithm. However, given that the source material for the hash sum is of a smaller bit strength than the comparative strength of the hash algorithm, your difficulty of guessing the password is not reduced any by using the hash algorithm for generative purposes. -- Tilghman Lesher Digium, Inc. | Senior Software Developer twitter: Corydon76 | IRC: Corydon76-dig (Freenode) Check us out at: www.digium.com & www.asterisk.org -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
