lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Mar 2013 12:18:37 -0500
From: Matthew Green <>
Subject: Re: [PHC] Re: Suggestion: API should include a verifier function

I think separating the Generate and Verify into formally distinct algorithms is a nice idea, and it's consistent with the way (some) people define MACs. It also allows for types of randomized hashing that wouldn't be possible using a single algorithm.


On Mar 27, 2013, at 11:55 AM, Marsh Ray <> wrote:

> It still depends on the work factor, the resources of the attacker, and most of all the strength of the user-chosen password.
> Even if the administrator’s chosen parameters were extremely conservative, the exposure of the hashes could constitute a data breach which requires disclosure, notification of users, etc.
> +1 on the ‘define separate functions for generation and validation’ plan. But it does seem like that could be done mostly independently of the design of the hash function itself.
> -          Marsh

Content of type "text/html" skipped

Powered by blists - more mailing lists