Private Key Generation from Passwords/phrases
Alexander Klimov
alserkli at inbox.ru
Tue Jan 30 11:56:12 EST 2007
On Sun, 28 Jan 2007, Steven M. Bellovin wrote:
> Beyond that, 60K doesn't make that much of a difference even with a
> traditional /etc/passwd file -- it's only an average factor of 15
> reduction in the attacker's workload. While that's not trivial, it's
> also less than, say, a one-character increase in average password
> length. That said, the NetBSD HMAC-SHA1 password hash, where I had
> some input into the design, uses a 32-bit salt, because it's free.
In many cases the real goal is not to find all (or many) passwords,
but to find at least one, so one may concentrate on the most-oftenly
used salt. (Of course, with 60K passwords there is almost for sure at
least one "password1" or "Steven123" and thus the salts are
irrelevant.)
--
Regards,
ASK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list