Actually, you'd just speed up their attack, since most failed attempts would be quicker than others.
If you look in the crypto utils, you'll see a "constant time compare" ... this is a common thing in crypto circles to avoid leaking "how close" the guess was by how quickly the mismatch was found. This is a class of "side channel attach"... worth reading up on if you want to get further into crypto: http://en.wikipedia.org/wiki/Side_channel_attack -- Curtis On 15 September 2013 19:00, Ram Rachum <ram.rac...@gmail.com> wrote: > Hi guys, > > I just saw the new release announcement and I had an idea. > > What if, in addition to sorting the hard to compute hash for every > password, we will also store the sha 1 hash of the first 5 characters ofthe > password's sha1 hash? Wouldn't this allow us to quickly rule out 99% of > passwords, thereby defending against dos attacks, while atthe same time not > letting an attacker who obtained the hashes to get the passwords? > > I'm not a security expert, just brainstorming. > > Thanks, > Ram. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at http://groups.google.com/group/django-developers. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
