[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <540664E7.6070108@ciphershed.org>
Date: Tue, 02 Sep 2014 20:46:31 -0400
From: Bill Cox <waywardgeek@...hershed.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] A review per day - PolyPassHash
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/01/2014 04:25 PM, Bill Cox wrote:
> PolyPassHash is a very cool idea. To authenticate any password,
> you have to prove you know at least N correct user/password
> combinations. Once you've done this, you can authenticate passwords
> as they come in.
>
> This falls into the "other" category. It might be a useful
> bolt-on for an authentication server along with a decent password
> hashing scheme. I am really glad the author submitted it so we
> could all enjoy reading about the algorithm.
>
> However, I feel it is far enough removed from being a password
> hashing scheme that it doesn't belong among the eventual "winners".
> If we can give it an honorable mention, that would be fine :-)
>
> Since this is the place where I list my gripes, I will mention that
> I had to do a lot more debugging work to get PolyPassHash working
> than the others. However, it's no big deal.
>
> I think that's all I really have to say about PolyPassHash, other
> than to thank the author for the cool paper. Thanks!
>
> Bill
>
Just in case anyone was thinking I passed on the review of
PolyPassHash because I thought reviewing it would be distasteful or
anything, that's not it at all. I just don't know how exactly to
evaluate it. It's too different. For example, it likes to return the
same hash regardless of password, IIRC, but it's not a bug! Something
about initializing the database of password hashes... I forget, and I
would like to keep it that way! I consider it one of these
proof-of-concept things, rather than production ready code that needs
big geeks to tear it apart looking for bugs and weaknesses. However,
if they get to the point of where they need big geeks to tear apart
their code, I'll be glad to help :-)
Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUBmTkAAoJEAcQZQdOpZUZq4gP/RCqqOGl8F+TgpsJsR7NdQkg
4DLBtDSBnZo+sVWKYRNxfgMUKDknSobfFF7hh2sdbpFPKEKk6FGKC/Vn6is0mNC8
yQ+3u+enQz3z5m89yde41Minlh7yaHdI48k94v77cnE/X1eIL7mM2eiJGtru4YxH
E6/bTJohcMXQPWUSuAHzFZHdsxYPjJ8lSZsA/Dt2LfQR+/V9qcYlD325ZYSWY/b/
zGRDYeKFuwBWHZZ+Rjg5/CjaB8sh5Ys0h+JIrRXKmGHvpTO0YPk+tfjAPlQYwk4v
WXOIwbFt8IJQCmVhpSHlyfQoGy0lnI4qY7dbXqfYJU9MlWrrDyZ7mWUWIBW8V65U
qZ0MWd6TjAaISvWzPzq1EO699Y6ykOwDU3xbZSKbYI89O+CHL4YrBErHwnDIHD5b
4bYSOSysP7hsoPb22Xg9uslz4LyaATwGpCV/OE0OjWEG6BFHfNlNz0DmFY8B18+7
oqtszvY1LMlufMxJr9H1ZvJqmez21LS0oCn4z4qugyurVdJQAr/CQkLwjK5kSsV2
ESiusOocgEPFy27yrIyZ6FxNmr518HaFJZ514lwQoyUtIk9SRkZNojNgeW/KFfan
wFHE/0Opzcy56+EQhm8lyKPOQCPW+vfnOTMBYKGyOpmHFZjpEtNbjZd6iomdf16Q
yLvWSDZSsJw/BHXtDs7M
=f/E3
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists