Previously Uli Fouquet wrote:
> Hi Dan,
> 
> thanks for your quick response.
> 
> Dan Korostelev wrote:
> > Yeah, that's definetely a mistake! The hash needs to be generated
> > using both salt and password.
> > 
> > Also, I saw a technique when you generate a hash using double hashing,
> > like this: sha(sha(password) + salt).hexdigest(). It looks even more
> > secure :)
> 
> Hm, not sure. Building the hash of a hash doesn't give a more equal
> distribution, does it? Therefore it doesn't look 'more secure' to me.

It would not surprise me if it would in fact not be considerably weaker.
The cleartext space for the second hash is a lot smaller and very
predictable (you know the exact string length and that is only consists
of digits and lowercase letters), making an attack simpler.

Wichert.


-- 
Wichert Akkerman <wich...@wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.
_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to