-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Moin,
On Tuesday 23 January 2007 05:10, Gregory Maxwell wrote:
On 1/22/07, Ivan Krstić krstic@solarsail.hcs.harvard.edu wrote: [snip]
Generally, the only password hashing scenario in which the choice of algorithm makes a difference at all is an offline attack once the password table has been compromised, at which point, the difference between one algorithm and the next is nothing more but how long you can hold off a brute-forcing attacker. And for that, without preimage attacks, the known MD5 and SHA-1 flaws make about zero difference for any practical purpose.
Ivan is right on in his statements here.
[snip]
I agree that changing the hashing algorithm is unnec. here.
But:
(/me waits for someone to notice my above H(s +'-'+H(P)) above and cry about the minor precomputation a smart attacker can do to reduce the workload from 2*users*passwords MD5s to passwords + passwords*users MD5s)
Actually, if you want to strengthen the password-hash table against some offline brute-force/dictionary attacks, you should hash them with a function that takes a long time per test, but still not enough time to slow down the log-in servers.
Something like
hash = H(password); for (0..100) { hash = H(hash); }
What function you actually use for H(), may it be MD5 or SHA1, is practically irrelevant here, tho, but when you migrate to such a scheme, you might as well use SHA256 instead of MD5 (even if it is just to quiten all the "MD5 is insecure" cryers :)
Best wishes,
Tels
- -- Signed on Tue Jan 23 18:45:25 2007 with key 0x93B84C15. View my photo gallery: http://bloodgate.com/photos PGP key on http://bloodgate.com/tels.asc or per email.
"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken