t to see who can offline crack a set of 1M users? Your bcrypt
>>>>>> list vs my “Weird” You don’t even have to give me the salt I’ll have
>>>>>> 10k
>>>>>> of those cracked in the first 72 hours. 10 to 1 odds you won’t get
>>>>&
eady deciphered list of the most common passwords and you
>>>>> calculate
>>>>> the top 5k using bcrypt and you now have about 50% of the data in fewer
>>>>> than 10k operations.****
>>>>>
>>>>> ** **
>>>>>
>>&
ass+UserID+Salt) be the best? Yes. But
>>> MD5(Pass+UserID+Salt) is going to still going to be orders of magnitude
>>> more difficult than Bcrypt(Pass+salt), because I can’t use knowledge of
>>> frequency tables to predict likely outcomes or detect duplicate passwords.
beginning or end of the password.
>>
>> 4) Both MD5 and SHA1 are merkle-damgard construction hashes (
>> http://en.wikipedia.org/wiki/Merkle%E2%80%93Damg%C3%A5rd_construction).
>> As a result, the concatenation of several hashes is no more secure than the
>> most secure of
**
>
> ** **
>
> ** **
>
> ** **
>
> *From:* google-appengine@googlegroups.com [mailto:
> google-appengine@googlegroups.com] *On Behalf Of *Nick Johnson
> *Sent:* Monday, November 14, 2011 6:21 PM
>
> *To:* google-appengine@googlegroups.com
> *Subject:* Re: [google
gle-appengine@googlegroups.com] On Behalf Of Nick Johnson
Sent: Monday, November 14, 2011 6:21 PM
To: google-appengine@googlegroups.com
Subject: Re: [google-appengine] Help resolve massive performance regression
in 2.7 vs 2.5 runtime
Hi Brandon,
What you say is fine if your threat model only
It doesn't matter if you can have your ATI card up and running sooner if
every single password attempt takes a whole lot longer to try. That is the
main strength of bcrypt.
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To view this disc
roups.com [mailto:
> google-appengine@googlegroups.com] *On Behalf Of *Nick Johnson
> *Sent:* Monday, November 14, 2011 3:56 PM
>
> *To:* google-appengine@googlegroups.com
> *Subject:* Re: [google-appengine] Help resolve massive performance
> regression in 2.7 vs 2.5 runtime
>
&
gle-appengine@googlegroups.com] On Behalf Of Nick Johnson
Sent: Monday, November 14, 2011 3:56 PM
To: google-appengine@googlegroups.com
Subject: Re: [google-appengine] Help resolve massive performance regression
in 2.7 vs 2.5 runtime
No! Please, please don't do this. Obscurity is no substi
>
> Uniqueness of the method is more important than the method.
>
>
>
> -Original Message-
> From: google-appengine@googlegroups.com
> [mailto:google-appengine@googlegroups.com] On Behalf Of Brian Quinlan
> Sent: Saturday, November 12, 2011 6:58 PM
> To: google-appen
oups.com
[mailto:google-appengine@googlegroups.com] On Behalf Of Brian Quinlan
Sent: Saturday, November 12, 2011 6:58 PM
To: google-appengine@googlegroups.com
Subject: Re: [google-appengine] Help resolve massive performance regression
in 2.7 vs 2.5 runtime
Hi Pol,
On Sun, Nov 13, 2011 at 1:48 PM, Pol
Hi Pol,
On Sun, Nov 13, 2011 at 1:48 PM, Pol wrote:
> Hi,
>
> Since switching to 2.7 runtime, logging in to http://www.everpix.com
> went from about a second to anywhere from 15s to 60s. I tracked it
> down to this single password checking line:
>
> from bcrypt import bcrypt
> bcrypt.hashpw(passw
Hi,
Since switching to 2.7 runtime, logging in to http://www.everpix.com
went from about a second to anywhere from 15s to 60s. I tracked it
down to this single password checking line:
from bcrypt import bcrypt
bcrypt.hashpw(password, self.password_hash) == self.password_hash
This comes from "a n
13 matches
Mail list logo