lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 6 May 2014 13:03:46 -0400
From: Peregrine <peregrinebf@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Hashing password while typing

Also remember that password hashing functions are tuneable, and that page
loading (on the internet) takes time. It might be better to compute the
hash in the background, while sending the user all the resources which are
shared between the success and failure pages, and then dynamically load the
success/failure page as needed. Also, for most things a huge security
margin isn't needed, adding a tenth of a second to a login is barely
noticeable but still provides significant security benefit.

-- Carl 'SAI' Mitchell


On Tue, May 6, 2014 at 10:54 AM, Bill Cox <waywardgeek@...il.com> wrote:

> On Tue, May 6, 2014 at 10:43 AM, Thomas Pornin <pornin@...et.org> wrote:
>
>> Thus, I don't exactly understand what you are trying to say here.
>>
>>
>>         --Thomas Pornin
>>
>
> Well, I did call it a "dumb" idea :-)  I get inflicted with them a lot.  I
> agree... it doesn't seem like there's much to be gained with such an
> approach.  I was hoping someone might see a way to get around the
> precomputed prefix problem.  I haven't found one.
>
> Bill
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ