[Melbourne-pm] OT[sort of] plain hashing text passwords
Toby Corkindale
toby.corkindale at strategicdata.com.au
Mon Dec 12 16:41:12 PST 2011
On 10/10/09 03:38, Sam Watkins wrote:
> On Thu, Oct 08, 2009 at 03:35:27PM +1100, David Warring wrote:
>> This type of attack can be thwarted by salting the password, ie prepending
>> some random characters to both the input string and output digest:
>
> Another method is used by the tool "hashalot", you salt your password or
> whatever, and hash it then hash the hash repeatedly perhaps 1000000 times, you
> can fold your password back in or use whatever method you like. This takes a
> significant amount of time, on the order of seconds. A brute force attack will
> then take 1000000 times longer than it otherwise might.
>
> You might not have the CPU power to use that method in a web app though.
I was reading an article in one of the tech magazines we get at work,
about password security. They discussed repeatedly-hashing something, as
you suggest above, and said that re-hashing actually makes it
progressively *easier* for the attacker to find the password, not
harder. So don't do that.
PS.
I looked at the hashalot program though, and as far as I can tell from
the man page, it doesn't actually have any option to re-hash repeatedly:
https://gitorious.org/hashalot/hashalot/blobs/master/hashalot.c
-Toby
More information about the Melbourne-pm
mailing list