On 19/08/10 18:45, Daniel Kinzler wrote:
Tim Starling schrieb:
It's been said (e.g. [1]) that hashing
passwords with two rounds of
MD5 is basically a waste of time these days, because brute-forcing
even relatively long passwords is now feasible with cheap hardware.
Indeed, you can buy software [2] which claims to be able to check 90
million MediaWiki passwords per second on an ordinary GPU. That would
let you crack a random 8-letter password in 20 minutes.
I don't know that much about the mathematical details of hashing, but i'd like
to drop a pointer to an article if found interesting in this context:
"Stop using unsafe keyed hashes, use HMAC"
http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/
So, how does your proposal relate to HMAC?
HMAC is for secret keys, there's no secret key in this scheme.
That article mentions collision and second-preimage attacks. As far as
I can determine, neither is relevant to a password hashing scheme.
Say if you knew someone's password. Then a second-preimage attack
would allow you to construct a new, longer password which also allowed
you to log in as them. This would be a waste of time though, since you
could have just logged in with the original password.
Similarly, nobody really cares if you can construct two long
passwords, set one in your preferences, and use the other to log in.
That's all a collision lets you do.
The security goals for password hashing are quite different to those
for message authentication, and less well-studied. Key strengthening
algorithms use hashing as a proof of work, so a break would be an
optimised algorithm. Usually, the designers of hash functions consider
optimised algorithms to be useful, not a break.
-- Tim Starling