Hi Vladis, Hi dear list, [EMAIL PROTECTED] a écrit : > > It's a pretty easy proof actually. If your password input routine allows > more different passwords than there are possible hashes, you *will* have > collisions. For instance, if you use a 64-bit hash, and reasonable-length > passwords, you can create more than 2**64 of them, and 2 *have* to collide. > > Agreed, good sense helps in some cases ;) > > If you're using anything resembling a sane hash (such as MD5 or similar), > what happens is that you basically ignore the hash collisions - because > rather than "1234", your colliding password/phrase is probably a 32-byte or so > string, which is likely not even enterable at the keyboard (it ends up being > A # ctl-b 9 e alt-control-meta-$ etcetc - of the 32, likely only 10 or so > of the characters are from the 96-char printable ASCII set, and there's a good > chance that at least several of the bytes are ones you can't enter from the > keyboard at all....) > Here again, I agree. Now, if one needs to exhaustively try every possible 32b hashes with the largest possible charset (or even bigger hashes with a smaller - like those alphanumerical keys you just mentionned), to break a password hash, the it's not a "*BIG*" security issue like mentionned earlier imho.
Cheers, endrazine- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/