[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <85DCA0D8-3505-403A-8DC0-995CEEFC437E@gmail.com>
Date: Wed, 27 Mar 2013 12:18:37 -0500
From: Matthew Green <matthewdgreen@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Re: Suggestion: API should include a verifier function
I think separating the Generate and Verify into formally distinct algorithms is a nice idea, and it's consistent with the way (some) people define MACs. It also allows for types of randomized hashing that wouldn't be possible using a single algorithm.
Matt
On Mar 27, 2013, at 11:55 AM, Marsh Ray <maray@...rosoft.com> wrote:
> It still depends on the work factor, the resources of the attacker, and most of all the strength of the user-chosen password.
>
> Even if the administrator’s chosen parameters were extremely conservative, the exposure of the hashes could constitute a data breach which requires disclosure, notification of users, etc.
>
> +1 on the ‘define separate functions for generation and validation’ plan. But it does seem like that could be done mostly independently of the design of the hash function itself.
>
> - Marsh
Content of type "text/html" skipped
Powered by blists - more mailing lists