Password hashing
Leichter, Jerry
leichter_jerrold at emc.com
Mon Oct 15 10:20:53 EDT 2007
| > ... What's wrong with starting
| > with input SALT || PASSWORD and iterating N times, ....
|
| Shouldn't it be USERID || SALT || PASSWORD to guarantee that if
| two users choose the same password they get different hashes?
| It looks to me like this wold make dictionary attacks harder too.
As others have pointed out, with a large enough salt, dictionary attacks
become impossible. But it's worth mentioning another issue: People's
userid's do change and it's nice not to have the hashed passwords break
as a result. (This is pretty counter-intuitive to users who change their
names, and a disaster if a large organization needs to do a mass renaming
and somehow has to coordinate a mass password update at the same time.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list