lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 May 2014 07:53:33 -0400
From: Bill Cox <waywardgeek@...il.com>
To: discussions@...sword-hashing.net
Subject: Hashing password while typing

Here's a dumb idea for reducing the pain associated with long password
hashing runtimes.  Simply hash the password while the user is typing it.
 I'm sure it's an old idea, but I haven't heard it before, so just in case,
I thought I'd post it here before someone patents it.

There are a ton of issues, which I haven't figured out.  An attacker would
likely guess a prefix, and then try a lot of suffixes, before moving to the
next prefix, making all that pre-computation close to worthless.  However,
the time between typing the last character in his password and hitting
Enter is time well used for hashing.  Also, the hashing time spent on the
password before the last character aren't completely wasted.  One way to
look at them is as a generator for an in-memory ROM.

In a challenge-response system, each password guess could hash memory
differently, thwarting precomputation of prefixes.

Anyway, it's just this morning's dumb idea...

Bill

Content of type "text/html" skipped

Powered by blists - more mailing lists