lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Jan 2014 14:17:56 -0800
From: Andy Lutomirski <>
To: discussions <>
Subject: Re: [PHC] A silly (?) consideration for script-friendly hashes

On Fri, Jan 24, 2014 at 2:16 PM, Larry Bugbee <> wrote:
> On Jan 24, 2014, at 2:13 PM, Andy Lutomirski <> wrote:
>> just hash the domain in
>> with the salt before using it to hash a password
> Good idea, but why not also add userid?

Because then you need some kind of trusted input so that scripts can't
just fake the userid.  At that point, you might as well try to use a
protocol like SRP instead.


Powered by blists - more mailing lists