A better way to think about passwords

Faramir faramir.cl at gmail.com
Tue Apr 19 12:56:30 CEST 2011

Hash: SHA256

El 18-04-2011 8:21, Hauke Laging escribió:
> Am Montag 18 April 2011 12:53:12 schrieb Faramir:
>>   Maybe we should just pick a "good password", hash it a couple of
>> times, and use that hash as the real password... we could carry the
>> hashing tool in a flash drive.
> That does not make sense to me because you do not increase the key space by 
> that. If you try to defend against somebody who knows what you do then it is 
> no protection.

  Well, true, if the attacker knows I do that. But as the password is
supposed to be secret, the password generation procedure could be
considered secret too. So, lets say, I think about a password easy to
remember to me, then I apply SHA-256 to it a "secret" amount of times
(lets say, I hash the hash 5 times). And I would use that final hash as
a password. It would defeat any dictionary attack, since the 4° hash
wouldn't be in any "commond words" dictionary. It would still be
vulnerable to a complete rainbow table for SHA-256, but if such rainbow
table exists at all, then we are all toasted, no matter what password we
use, it would still be found.

  I don't know the storage space needed for the whole key space of
SHA-256, but I guess it would be huge (maybe not feasible).

  Best Regards
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Gnupg-users mailing list