On 19/08/10 18:45, Daniel Kinzler wrote:
Tim Starling schrieb:
It's been said (e.g. [1]) that hashing passwords with two rounds of MD5 is basically a waste of time these days, because brute-forcing even relatively long passwords is now feasible with cheap hardware. Indeed, you can buy software [2] which claims to be able to check 90 million MediaWiki passwords per second on an ordinary GPU. That would let you crack a random 8-letter password in 20 minutes.
I don't know that much about the mathematical details of hashing, but i'd like to drop a pointer to an article if found interesting in this context:
"Stop using unsafe keyed hashes, use HMAC" http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/
So, how does your proposal relate to HMAC?
HMAC is for secret keys, there's no secret key in this scheme.
That article mentions collision and second-preimage attacks. As far as I can determine, neither is relevant to a password hashing scheme.
Say if you knew someone's password. Then a second-preimage attack would allow you to construct a new, longer password which also allowed you to log in as them. This would be a waste of time though, since you could have just logged in with the original password.
Similarly, nobody really cares if you can construct two long passwords, set one in your preferences, and use the other to log in. That's all a collision lets you do.
The security goals for password hashing are quite different to those for message authentication, and less well-studied. Key strengthening algorithms use hashing as a proof of work, so a break would be an optimised algorithm. Usually, the designers of hash functions consider optimised algorithms to be useful, not a break.
-- Tim Starling