On Jul 31, 2009, at 1:32 AM, Bottiger wrote: > Can you please take some time to actually understand the situation. > Every time you keep repeating the same factually incorrect statements. > > md5(password1+password1) > > password1 is not the same as > > md5(password2+password2) > >> Suppose you have a dictionary of 1,000,000 weak passwords and >> precompute their 1,000,000 hashes. How many hashes do you need to >> precompute? 1,000,000. > > Is there a point in there somewhere? Your suggestion: > > md5(password+random)+random (BTW systems use md5(password+random), the > extra random is useless) > > The attacker knows what random is. It is not random anymore. This is > what the attacker sees: > > md5(password+characters_in_db)+characters_in_db > > Suppose you have a dictionary of 1,000,000 weak passwords and > precompute their 1,000,000 hashes. How many hashes do you need to > precompute with your idea? 1,000,000. There is no difference.
1,000,000 * (size of random space) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
