Security Basics mailing list archives

Re: Hashing passwords

From: Jennifer Wachter <jenny () recurity-labs com>
Date: Tue, 12 Jun 2012 15:51:22 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I know that and you probably misread the question or my explanation was
not clear enough.

My question was: is hashing two or three times (without a salt) a secure
method or is it as secure as hashing only one time without salt?


Oh sorry, I really misunderstood your question.

As far as i understood, it can significally improve the secure of the
"clear text" passwords but, with a reaaaaaaally big hash db, you can
crack it.

I do agree with you when you say that it will give the same hash for
same passwords, even if i hash it infinite times. So i guess that I'll
have to study the security/performance effects of such measure. Maybe
one day I'll present it to the world.

Thanks all for the answers. I'm really grateful.
--haZ


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP10laAAoJEAxfDBT+GENjoQ0H/iyumVT9x1eoO7OTCAWIMxZe
gOl/gY/Ibcx/U7xkCL+4A2wP8Vn9duZSbPOnVT/ikRuXV9/7O1AG8Ea/mGW+kmAP
VmMLxBdhUafeu8/+AU5VnDUTTD/eGYjD4IaRA7FdY82eQCF5gZv3A5KzDHKm7HR8
DxjctQ6ifq6DZf6BBfIqOJp2wJ2lq5xRC6e/a54V1fdEJgAgPdDxMdt5tgBrf/ZM
7vqpjF6an8BUO/s4YIJm6rcCs6OhDq7kNVvtKanwIFYiH4yE5s3vShJjkJ9k/yZL
mbf0cdsZuTEO6I8XZpstwHx7kQYrI8yMm9+OI/JI1i4HQ9RbViYG9A+AprbKqAY=
=4Nke
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Re: Hashing passwords, (continued)
- - - Re: Hashing passwords Kurt Buff (Jun 12)
    - Re: Hashing passwords Ansgar Wiechers (Jun 13)
    - Re: Hashing passwords Kurt Buff (Jun 13)
    - Re: Hashing passwords Alexander Klimov (Jun 13)
    - RE: Hashing passwords Mikhail A. Utin (Jun 13)
    - Re: Hashing passwords Kai Wirt (Jun 13)
  - Re: Hashing passwords Kai Wirt (Jun 11)
    - Re: Hashing passwords gold flake (Jun 12)
    - Re: Hashing passwords Kai Wirt (Jun 12)
- Re: Hashing passwords Jennifer Wachter (Jun 12)
  - Message not available
    - Re: Hashing passwords Jennifer Wachter (Jun 12)
    - RE: Hashing passwords Dave Kleiman (Jun 12)
- Re: Hashing passwords Leon Jacobs (Jun 13)