Tim Starling schrieb: > It's been said (e.g. [1]) that hashing passwords with two rounds of > MD5 is basically a waste of time these days, because brute-forcing > even relatively long passwords is now feasible with cheap hardware. > Indeed, you can buy software [2] which claims to be able to check 90 > million MediaWiki passwords per second on an ordinary GPU. That would > let you crack a random 8-letter password in 20 minutes.
I don't know that much about the mathematical details of hashing, but i'd like to drop a pointer to an article if found interesting in this context: "Stop using unsafe keyed hashes, use HMAC" http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/ So, how does your proposal relate to HMAC? -- daniel _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l