From: " "@deneb.cygnus.argh.org (Florian Weimer)
Subject: Re: Saving and Encoding Passwords
Date: 1999/11/28
Date: 1999-11-28T10:43:55+00:00 [thread overview]
Message-ID: <87hfi6q4k4.fsf@deneb.cygnus.argh.org> (raw)
In-Reply-To: 1999Nov27.093947.1@eisner
kilgallen@eisner.decus.org (Larry Kilgallen) writes:
> In article <87u2m8exf8.fsf@deneb.cygnus.argh.org>, Florian Weimer <fw@s.netic.de> writes:
>
> > It is considered close to impossible to recover the password from
> > the hash value if the cryptographic hash function is one of the most
> > commonly used and thoroughly analyzed (i.e. MD5 or SHA-1).
>
> But that consideration is only of interest to mathematicians.
Eh, maybe. ;)
> Security folk realize that passwords freely chosen by humans
> are highly susceptible to brute force guessing attacks. The
> common defenses are:
>
> Include a secret per-user pseudo-random seed number
> in the hash, to prevent pre-computation of hashes for
> a particular username.
There's no such thing like a `secret per-user pseudo-random seed number'.
The application needs to know it in order to verify the password,
which means it can't that secret. Of course, a password salt will
tremendously increase the size of a precomputed dictionary without much
effort on the application programmer's side.
next prev parent reply other threads:[~1999-11-28 0:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
1999-11-16 0:00 Saving and Encoding Passwords Josh Highley
1999-11-17 0:00 ` Ted Dennison
1999-11-17 0:00 ` Josh Highley
1999-11-17 0:00 ` Gisle S�lensminde
1999-11-26 0:00 ` Florian Weimer
1999-11-27 0:00 ` Larry Kilgallen
1999-11-28 0:00 ` Florian Weimer [this message]
1999-11-28 0:00 ` Larry Kilgallen
1999-11-29 0:00 ` Samuel T. Harris
1999-12-01 0:00 ` Robert I. Eachus
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox