A better way to think about passwords

[Faramir]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 18-04-2011 8:21, Hauke Laging escribió:
> Am Montag 18 April 2011 12:53:12 schrieb Faramir:
> 
>>   Maybe we should just pick a "good password", hash it a couple of
>> times, and use that hash as the real password... we could carry the
>> hashing tool in a flash drive.
> 
> That does not make sense to me because you do not increase the key space by 
> that. If you try to defend against somebody who knows what you do then it is 
> no protection.

  Well, true, if the attacker knows I do that. But as the password is
supposed to be secret, the password generation procedure could be
considered secret too. So, lets say, I think about a password easy to
remember to me, then I apply SHA-256 to it a "secret" amount of times
(lets say, I hash the hash 5 times). And I would use that final hash as
a password. It would defeat any dictionary attack, since the 4° hash
wouldn't be in any "commond words" dictionary. It would still be
vulnerable to a complete rainbow table for SHA-256, but if such rainbow
table exists at all, then we are all toasted, no matter what password we
use, it would still be found.

  I don't know the storage space needed for the whole key space of
SHA-256, but I guess it would be huge (maybe not feasible).

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJNrWpeAAoJEMV4f6PvczxAm6gH/3SMKQjixZgWZkAQBko+kzWC
L+3GtWW6TauKyaXRHxNPdYeXbAuM9wfQAqPuUw237i1X/c3U/FdCvebfxgHT7LKU
kgwArstAyXoQnTlpjJ4Tu2ZA1WUOIVseP5YRU16W1CUVG7dzewSBatire/yXkLqC
Djz84kZMOdm88F1PPH3hXUjYjgVKBw3OzcENxEd88h35QshxUm6G6EV3v5K10k0R
atYbPvWrKKNX2tgU0QP/2MDiOVQeHm8pc2S0M8ddtJ+rL2PULTkCTHJjevCZK4vr
rg4lUhU65E+x4oZPMYHw4H039tb7Pz0g+OhdTKwkEQf0Qz3BqafRsFShLiwoOFA=
=qQO5
-----END PGP SIGNATURE-----