Security Basics mailing list archives

RE: Hashing passwords

From: Dave Kleiman <dave () davekleiman com>
Date: Tue, 12 Jun 2012 13:03:18 -0500

Haz,

Do you mean to compare how salting and hash against hashing multiple times and how long it would take to brute force 
each?


Respectfully,

Dave Kleiman - http://www.ComputerForensicsLLC.com - http://www.DaveKleiman.com

4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410
561.310.8801 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jennifer Wachter
Sent: Tuesday, June 12, 2012 09:51
To: haZard0us
Cc: security-basics () securityfocus com
Subject: Re: Hashing passwords

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I know that and you probably misread the question or my explanation 
was not clear enough.

My question was: is hashing two or three times (without a salt) a 
secure method or is it as secure as hashing only one time without salt?


Oh sorry, I really misunderstood your question.

As far as i understood, it can significally improve the secure of the 
"clear text" passwords but, with a reaaaaaaally big hash db, you can 
crack it.

I do agree with you when you say that it will give the same hash for 
same passwords, even if i hash it infinite times. So i guess that I'll 
have to study the security/performance effects of such measure. Maybe 
one day I'll present it to the world.

Thanks all for the answers. I'm really grateful.
--haZ


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP10laAAoJEAxfDBT+GENjoQ0H/iyumVT9x1eoO7OTCAWIMxZe
gOl/gY/Ibcx/U7xkCL+4A2wP8Vn9duZSbPOnVT/ikRuXV9/7O1AG8Ea/mGW+kmAP
VmMLxBdhUafeu8/+AU5VnDUTTD/eGYjD4IaRA7FdY82eQCF5gZv3A5KzDHKm7HR8
DxjctQ6ifq6DZf6BBfIqOJp2wJ2lq5xRC6e/a54V1fdEJgAgPdDxMdt5tgBrf/ZM
7vqpjF6an8BUO/s4YIJm6rcCs6OhDq7kNVvtKanwIFYiH4yE5s3vShJjkJ9k/yZL
mbf0cdsZuTEO6I8XZpstwHx7kQYrI8yMm9+OI/JI1i4HQ9RbViYG9A+AprbKqAY=
=4Nke
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Re: Hashing passwords, (continued)
- - - Re: Hashing passwords Ansgar Wiechers (Jun 13)
    - Re: Hashing passwords Kurt Buff (Jun 13)
    - Re: Hashing passwords Alexander Klimov (Jun 13)
    - RE: Hashing passwords Mikhail A. Utin (Jun 13)
    - Re: Hashing passwords Kai Wirt (Jun 13)
  - Re: Hashing passwords Kai Wirt (Jun 11)
    - Re: Hashing passwords gold flake (Jun 12)
    - Re: Hashing passwords Kai Wirt (Jun 12)
- Re: Hashing passwords Jennifer Wachter (Jun 12)
  - Message not available
    - Re: Hashing passwords Jennifer Wachter (Jun 12)
    - RE: Hashing passwords Dave Kleiman (Jun 12)
- Re: Hashing passwords Leon Jacobs (Jun 13)