Actually, you'd just speed up their attack, since most failed attempts would be quicker than others.
If you look in the crypto utils, you'll see a "constant time compare" ... this is a common thing in crypto circles to avoid leaking "how close" the guess was by how quickly the mismatch was found. This is a class of "side channel attach"... worth reading up on if you want to get further into crypto: http://en.wikipedia.org/wiki/Side_channel_attack -- Curtis On 15 September 2013 19:00, Ram Rachum <[email protected]> wrote: > Hi guys, > > I just saw the new release announcement and I had an idea. > > What if, in addition to sorting the hard to compute hash for every > password, we will also store the sha 1 hash of the first 5 characters ofthe > password's sha1 hash? Wouldn't this allow us to quickly rule out 99% of > passwords, thereby defending against dos attacks, while atthe same time not > letting an attacker who obtained the hashes to get the passwords? > > I'm not a security expert, just brainstorming. > > Thanks, > Ram. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/django-developers. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
