On Sat 26 Aug 2017 at 21:15:37 +0200, Thomas Schmitt wrote: > Hi, > > Brian wrote: > > echo 'secretpassword' | sha256sum - | base64 | cut -c -30 | head -1 > > The quality criterion is the ease or difficulty to guess the 'secretpassword' > by a skilled enumerator and the fact whether your attacker knows the rest > of your processing pipeline. > > If your secretpassword itself is enumerated late, then the attacker needs > a lot of tries. > > If you keep the further processing secret, then the attacker will have to > try several hash algorithms with each enumerated input string. Quite hard > to guess would be if you replace sha256sum by an encryption program with > a key which you successfully keep secret.
Increasing difficulty in this way looks good to me. Thanks. I would most certainly hope I could keep the key secret. > If you stay with sha512sum: > The combination of sha256sum and base64 inflates the string length before > it gets cut to 30 characters length. So you actually throw away good bits > which would elsewise fit into the 30 characters. > It would be better to convert sha512sum output from hex to binary before > applying base64 to make it printable. This brings a maximum of sha256sum > bits into the 30 character result. Ok, I think I've got the idea here. xxd looks a useful utility for the conversion. -- Brian.
