[Melbourne-pm] OT[sort of] plain hashing text passwords

Sam Watkins sam at nipl.net
Tue Dec 13 20:38:46 PST 2011


On Tue, Dec 13, 2011 at 11:41:12AM +1100, Toby Corkindale wrote:
> re-hashing actually makes it progressively *easier* for the attacker
> to find the password, not harder. So don't do that.

Yes that makes sense.

I'm sure there are repeated computations with no real 'short cut', where
you have to do work proportional to the number of repetitions to get the
result  (or break the code)

But I suppose normal hash algorithms are not designed for that.

> PS.
> I looked at the hashalot program though, and as far as I can tell
> from the man page, it doesn't actually have any option to re-hash
> repeatedly:
> https://gitorious.org/hashalot/hashalot/blobs/master/hashalot.c

seems you're right about that too,
I don't know where I got that idea from.

I'm pretty sure I have used some tool which made it harder to test
pass-phrases, by doing repeated calculations that take a long time.

Sam


More information about the Melbourne-pm mailing list