[Melbourne-pm] OT[sort of] plain hashing text passwords

Toby Corkindale toby.corkindale at strategicdata.com.au
Mon Dec 12 16:41:12 PST 2011

On 10/10/09 03:38, Sam Watkins wrote:
> On Thu, Oct 08, 2009 at 03:35:27PM +1100, David Warring wrote:
>>     This type of attack can be thwarted by salting the password, ie prepending
>>     some random characters to both the input string and output digest:
> Another method is used by the tool "hashalot", you salt your password or
> whatever, and hash it then hash the hash repeatedly perhaps 1000000 times, you
> can fold your password back in or use whatever method you like.  This takes a
> significant amount of time, on the order of seconds.  A brute force attack will
> then take 1000000 times longer than it otherwise might.
> You might not have the CPU power to use that method in a web app though.

I was reading an article in one of the tech magazines we get at work, 
about password security. They discussed repeatedly-hashing something, as 
you suggest above, and said that re-hashing actually makes it 
progressively *easier* for the attacker to find the password, not 
harder. So don't do that.

I looked at the hashalot program though, and as far as I can tell from 
the man page, it doesn't actually have any option to re-hash repeatedly:


More information about the Melbourne-pm mailing list