Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hashing passwords

From: Kai Wirt <u-turn1 () gmx de>
Date: Mon, 11 Jun 2012 21:11:39 +0200
On Mon, Jun 11, 2012 at 07:55:34PM +0200, Ansgar Wiechers wrote:

On 2012-06-11 haZard0us wrote:

This may well be a silly question but, with this recent hashed
password leakage, I want to ask something about properly hashing.

The "manuals" say that we should create a salt and then hash it. But,
since calculating an hash is a "relative simple" operation (in matter
of processing power), is hashing two or three times the password (hash
over hash) a "kind of" secure method or it is as weak as not using
salt at all?

It can still be cracked but...


Yes, it can still be cracked. However, salting passwords defeats the
advantages gained from using rainbow tables, so cracking the password
will still take a significantly longer time than it would for an
unsalted password.

Regards
Ansgar Wiechers



To the question with hash over hash: As this increases the time required to
test a password this is used to make brute-force attacks more
expensive. 


Regards

Kai

-- 
"They that give up essential liberties to obtain a little temporary safety deserve neither liberty nor safety."

                                         Bemjamin Franklin

PGP Fingerprint: 8416 F8F7 4E84 0500 351B  435D 8A2D 5545 3D36 FD29

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: