On Mon, 08 Dec 2014 14:33:16 +0300, Alex Peshkoff <[email protected]> wrote: > On 12/08/14 14:02, Mark Rotteveel wrote: >> On Mon, 08 Dec 2014 13:44:36 +0300, Alex Peshkoff <[email protected]> >> wrote: >>> Yes. For password >20 bytes sooner of all exists shorter one with same >>> hash value. >> But that is technically irrelevant. > > As long as we do not talk about brute force.
True, but then again the bruteforcing problem also applies if people only use short passwords. Finding a 'short' password takes the same time (or maybe less) as finding a shorter password that has the same hash as the original longer password. >> Although identical hashes are certain >> due to pigeon holing, that doesn't mean shorter passwords (or passwords >> near the hash length) are better than longer passwords. And even then, >> making the assumption that most passwords only use characters between >> 0x20 >> and 0x7E (95 characters out of potentially 256 in a byte) then a very >> rough >> estimate is that identical hashes might only happen after 50 characters >> (based on 256/95 * 20 = 53.9; a calculation that a cryptologist would >> probably kill me for because it is either totally wrong or too >> conservative). > > I've never said that passwords >20 characters are bad. Only that they > are not as efficient as may seem. My original point however stands. Documenting that SRP passwords are effective up to 20 characters is invalid. Mark ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
