-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 18-04-2011 8:21, Hauke Laging escribió: > Am Montag 18 April 2011 12:53:12 schrieb Faramir: > >> Maybe we should just pick a "good password", hash it a couple of >> times, and use that hash as the real password... we could carry the >> hashing tool in a flash drive. > > That does not make sense to me because you do not increase the key space by > that. If you try to defend against somebody who knows what you do then it is > no protection.
Well, true, if the attacker knows I do that. But as the password is supposed to be secret, the password generation procedure could be considered secret too. So, lets say, I think about a password easy to remember to me, then I apply SHA-256 to it a "secret" amount of times (lets say, I hash the hash 5 times). And I would use that final hash as a password. It would defeat any dictionary attack, since the 4° hash wouldn't be in any "commond words" dictionary. It would still be vulnerable to a complete rainbow table for SHA-256, but if such rainbow table exists at all, then we are all toasted, no matter what password we use, it would still be found. I don't know the storage space needed for the whole key space of SHA-256, but I guess it would be huge (maybe not feasible). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNrWpeAAoJEMV4f6PvczxAm6gH/3SMKQjixZgWZkAQBko+kzWC L+3GtWW6TauKyaXRHxNPdYeXbAuM9wfQAqPuUw237i1X/c3U/FdCvebfxgHT7LKU kgwArstAyXoQnTlpjJ4Tu2ZA1WUOIVseP5YRU16W1CUVG7dzewSBatire/yXkLqC Djz84kZMOdm88F1PPH3hXUjYjgVKBw3OzcENxEd88h35QshxUm6G6EV3v5K10k0R atYbPvWrKKNX2tgU0QP/2MDiOVQeHm8pc2S0M8ddtJ+rL2PULTkCTHJjevCZK4vr rg4lUhU65E+x4oZPMYHw4H039tb7Pz0g+OhdTKwkEQf0Qz3BqafRsFShLiwoOFA= =qQO5 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
