lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 19 Jan 2014 10:15:02 -0800
From: "Dennis E. Hamilton" <>
To: <>,
	'Krisztián Pintér' <>
Subject: RE: [PHC] Native server relief support for password hashing in browsers


-----Original Message-----
From: Krisztián Pintér [] 
Sent: Sunday, January 19, 2014 10:07
To: Dennis E. Hamilton
Subject: Re: [PHC] Native server relief support for password hashing in browsers

Dennis E. Hamilton (at Sunday, January 19, 2014, 6:56:31 PM):

>  2. Under the given PHC threat scenario, it is assumed that K is
> disclosed and the work factor for discovering a k0 (or k0'
> collision) value by off-line attack is daunting enough and of
> limited value (i.e., that value is not reused in any other setting).
> That work factor applies to H, not the PBKDF.

brute forcing passwords is feasible because of the typical low entropy
of passwords. brute forcing a true 128 bit space is unfeasible, and
will be unfeasible for quite some time. brute forcing a 256 bit space
is unimaginable.

Powered by blists - more mailing lists