lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 19 Jan 2014 19:06:34 +0100
From: Krisztián Pintér <pinterkr@...il.com>
To: "Dennis E. Hamilton" <dennis.hamilton@....org>
CC: discussions@...sword-hashing.net
Subject: Re: [PHC] Native server relief support for password hashing in browsers


Dennis E. Hamilton (at Sunday, January 19, 2014, 6:56:31 PM):

>  2. Under the given PHC threat scenario, it is assumed that K is
> disclosed and the work factor for discovering a k0 (or k0'
> collision) value by off-line attack is daunting enough and of
> limited value (i.e., that value is not reused in any other setting).
> That work factor applies to H, not the PBKDF.

brute forcing passwords is feasible because of the typical low entropy
of passwords. brute forcing a true 128 bit space is unfeasible, and
will be unfeasible for quite some time. brute forcing a 256 bit space
is unimaginable.


Powered by blists - more mailing lists