[Owasp-leaders] Stepping through password hashing options

Dennis Groves dennis.groves at owasp.org
Mon Jun 25 02:18:38 UTC 2012


Sounds like a recipe for a hash collision at a later point in time, or
maybe not since Fujitsu just cracked *278-digit crypto* in 148 Days using
21 PCs.


-- 
Dennis Groves <http://about.me/dennis.groves>, MSc
dennis.groves at owasp.org

 <http://www.owasp.org/>

*This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain
View, California, 94041, USA.*



On Mon, Jun 25, 2012 at 1:34 AM, William Stranathan <will at thestranathans.com
> wrote:

> Or start the operation with sha256(sha256(salt+password)+key) or
> somesuch. Just start with a single hash which will be under the 55
> bytes.
>
> w
>
> On Sun, Jun 24, 2012 at 7:06 PM, Adrian Hayes <adrian.hayes at owasp.org>
> wrote:
> > Hi Jim,
> >
> > Thought I'd chime in with a small suggestion here. Bcrypt has a input
> limit
> > of 55 bytes (according to the whitepaper), which is fine until someone
> > decides to have a really long config salt which essentially pushes the
> > user's password off the end. This would be bad, so I generally recommend
> > people append any app specific salt to the end of the user's password
> > (password + salt), and warn them against doing the opposite (salt +
> > password).
> >
> > bcrypt(password + config_salt, gensalt(workfactor))
> >
> > I guess you could add that to your list of bcrypt caveats!
> >
> > --
> > Adrian Hayes
> > OWASP New Zealand Chapter Leader (Wellington)
> >
> >
> >
> > On 25/06/12 02:11, Jim Manico wrote:
> >
> > bcrypt(user salt + config salt + password, work-factor)
> >
> >
> >
>
>
>
> --
> -- coleslaw
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120625/a6e1f633/attachment.html>


More information about the OWASP-Leaders mailing list