A better way to think about passwords
Faramir
faramir.cl at gmail.com
Tue Apr 19 12:56:30 CEST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
El 18-04-2011 8:21, Hauke Laging escribió:
> Am Montag 18 April 2011 12:53:12 schrieb Faramir:
>
>> Maybe we should just pick a "good password", hash it a couple of
>> times, and use that hash as the real password... we could carry the
>> hashing tool in a flash drive.
>
> That does not make sense to me because you do not increase the key space by
> that. If you try to defend against somebody who knows what you do then it is
> no protection.
Well, true, if the attacker knows I do that. But as the password is
supposed to be secret, the password generation procedure could be
considered secret too. So, lets say, I think about a password easy to
remember to me, then I apply SHA-256 to it a "secret" amount of times
(lets say, I hash the hash 5 times). And I would use that final hash as
a password. It would defeat any dictionary attack, since the 4° hash
wouldn't be in any "commond words" dictionary. It would still be
vulnerable to a complete rainbow table for SHA-256, but if such rainbow
table exists at all, then we are all toasted, no matter what password we
use, it would still be found.
I don't know the storage space needed for the whole key space of
SHA-256, but I guess it would be huge (maybe not feasible).
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBCAAGBQJNrWpeAAoJEMV4f6PvczxAm6gH/3SMKQjixZgWZkAQBko+kzWC
L+3GtWW6TauKyaXRHxNPdYeXbAuM9wfQAqPuUw237i1X/c3U/FdCvebfxgHT7LKU
kgwArstAyXoQnTlpjJ4Tu2ZA1WUOIVseP5YRU16W1CUVG7dzewSBatire/yXkLqC
Djz84kZMOdm88F1PPH3hXUjYjgVKBw3OzcENxEd88h35QshxUm6G6EV3v5K10k0R
atYbPvWrKKNX2tgU0QP/2MDiOVQeHm8pc2S0M8ddtJ+rL2PULTkCTHJjevCZK4vr
rg4lUhU65E+x4oZPMYHw4H039tb7Pz0g+OhdTKwkEQf0Qz3BqafRsFShLiwoOFA=
=qQO5
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list