-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/02/13 14:38, Donald Stufft wrote: > What were they hashed with? Even with a salt a fast hash is trivial > to bruteforce for a large number of passwords in practically no > time with trivial hardware.
Not if your salt has 256 bits of entropy. Usual approach would be to use two salts: a personal salt per user, stored in a different database of the hashed password (to reduce the posibility of the same bug affecting both databases), and a global per site salt, stored outside of the database. Salts can be big. You can't not brute-force a 256 bit salt. - -- Jesús Cea Avión _/_/ _/_/_/ _/_/_/ [email protected] - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:[email protected] _/_/ _/_/ _/_/_/_/_/ . _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQCVAwUBURpw1Jlgi5GaxT1NAQIryQP/c+q8cmOjfBCZbcVADDluU86Hkui62Hks vHYzv7zg/XktNM9bDXKWM/tDPAUN/6NfmdTnJ0+n8dBWiFQC7MvNhGaUN6tLdO1Q gfN6BjTLOFkt88fvEN9cSdqHOr0yFRr/VdCbLS08sMVAk9YYo14jAwKgWfrOcQ8p 3YMFR3BuskI= =5yLc -----END PGP SIGNATURE----- _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
