On Jul 31, 2009, at 12:48 AM, Jonathan Lundell wrote:
> On Jul 31, 2009, at 12:38 AM, Yarko Tymciurak wrote:
>
>> On Fri, Jul 31, 2009 at 2:31 AM, Jonathan Lundell
>> <[email protected]> wrote:
>>
>> On Jul 31, 2009, at 12:16 AM, Bottiger wrote:
>>
>> .....
>> The difference is that with a deterministic transform of the password
>> (this includes static salt, or salt that's a function of the base
>> password), the attacker performs your loop once and solves every
>> password in his list. And the loop result can be precomputed into a
>> rainbow table.
>>
>> How do you figure? If the salt is different, and is based on the
>> "solution" of the hash,
>> then how does having an algorithm to extract the salt help? You
>> cannot use the last
>> salt to help; you have to solve the next hash to get it's value
>> (you can check it after).
>>
>> Am I missing something?
>
> Give me a specific example of the salted hash function you'd use for
> this mechanism, please.
>
...and let me set some context.
The default CRYPT() right now is md5(password).
Bottinger's proposal that I originally objected to was:
md5(password+password[-1])
He later suggested that "you could double or triple the original
password before putting it through the hash", so
md5(password+password)
or md5(password*3)
Suppose you have a dictionary of 1,000,000 weak passwords and
precompute their 1,000,000 hashes.
Now suppose you want to attack md5(password+password). How many hashes
do you need to precompute? 1,000,000.
I'm suggesting (sticking with md5 for comparability):
md5(password+random)+random
...where random is randomly chosen for each new password.
You're suggesting?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
