From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: * X-Spam-Status: No, score=1.5 required=5.0 tests=BAYES_00,FROMSPACE, FROM_ADDR_WS,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,2ea9abfbe071a56f X-Google-Attributes: gid103376,public From: " "@deneb.cygnus.argh.org (Florian Weimer) Subject: Re: Saving and Encoding Passwords Date: 1999/11/28 Message-ID: <87hfi6q4k4.fsf@deneb.cygnus.argh.org>#1/1 X-Deja-AN: 554045525 References: <38315e1a.0@silver.truman.edu> <87u2m8exf8.fsf@deneb.cygnus.argh.org> <1999Nov27.093947.1@eisner> Mail-Copies-To: never Content-Type: text/plain; charset=us-ascii X-Complaints-To: abuse@cygnus.argh.org X-Trace: deneb.cygnus.argh.org 943785835 7251 192.168.1.2 (28 Nov 1999 10:43:55 GMT) Organization: Penguin on board User-Agent: Gnus/5.070099 (Pterodactyl Gnus v0.99) Emacs/20.4 Mime-Version: 1.0 NNTP-Posting-Date: 28 Nov 1999 10:43:55 GMT Newsgroups: comp.lang.ada Date: 1999-11-28T10:43:55+00:00 List-Id: kilgallen@eisner.decus.org (Larry Kilgallen) writes: > In article <87u2m8exf8.fsf@deneb.cygnus.argh.org>, Florian Weimer writes: > > > It is considered close to impossible to recover the password from > > the hash value if the cryptographic hash function is one of the most > > commonly used and thoroughly analyzed (i.e. MD5 or SHA-1). > > But that consideration is only of interest to mathematicians. Eh, maybe. ;) > Security folk realize that passwords freely chosen by humans > are highly susceptible to brute force guessing attacks. The > common defenses are: > > Include a secret per-user pseudo-random seed number > in the hash, to prevent pre-computation of hashes for > a particular username. There's no such thing like a `secret per-user pseudo-random seed number'. The application needs to know it in order to verify the password, which means it can't that secret. Of course, a password salt will tremendously increase the size of a precomputed dictionary without much effort on the application programmer's side.