[Melbourne-pm] OT[sort of] plain hashing text passwords

Sam Watkins sam at nipl.net
Fri Oct 9 09:38:25 PDT 2009


On Thu, Oct 08, 2009 at 03:35:27PM +1100, David Warring wrote:
>    This type of attack can be thwarted by salting the password, ie prepending
>    some random characters to both the input string and output digest:

Another method is used by the tool "hashalot", you salt your password or
whatever, and hash it then hash the hash repeatedly perhaps 1000000 times, you
can fold your password back in or use whatever method you like.  This takes a
significant amount of time, on the order of seconds.  A brute force attack will
then take 1000000 times longer than it otherwise might.

You might not have the CPU power to use that method in a web app though.

Sam


More information about the Melbourne-pm mailing list