On Oct 12, 2007, at 6:47 PM, Sandy Harris wrote:
On 10/13/07, Martin James Cochran <[EMAIL PROTECTED]> wrote:
... What's wrong with starting
with input SALT || PASSWORD and iterating N times, ....
Shouldn't it be USERID || SALT || PASSWORD to guarantee that if
two users choose the same password they get different hashes?
It looks to me like this wold make dictionary attacks harder too.
If the salt space is large enough ( > 128 bits, say) and the salts
are generated with a good source of randomness, then it's
overwhelmingly likely that an attacker will have to do a dictionary
attack per user anyway, even across many different machines. Also,
with such a large salt space it's extremely unlikely that users who
choose the same passwords will have the same salt.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
