With this post I will try to show how, in a theoretical scenario, deliberately weakening the collision resistance of a password hash function can increase security. This is by no means a formal proof.
Suppose Alice has an account on two computer systems X and Y. She uses the same ...
read moreToday, I came across an article on password cracking. In the comment section I saw someone had posted (presumably right after they just read about salting) the following reply:
My solution: don't store hashes as a single SHA1 or MD5 result ... combine it for further obfuscation. A hash is ...read more
This week, LinkedIn, eHarmony, and last.fm have all confirmed that their password hash databases have been breached. In all three cases, passwords were stored as an unsalted hash. I've already reported the results of cracking LinkedIn's password hashes with CrackStation, now it's eHarmony's turn.
eHarmony ...
read moreLinkedIn's user database has been breached. The passwords were hashed with SHA1, but salt was not used. 6 million of them have been published to the internet. You can download them via torrent or via HTTP from defuse.ca's mirror. 3.5 million of them have had their ...
read moreWe know that it's possible to come up with a password that no computer on earth can crack. Use true random data to generate a sequence of 20 characters from the full ASCII printable set, spend an hour memorizing, and you're good. We also know that most people ...
read more