[105645] in cryptography@c2.net mail archive
Re: Password hashing
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Thu Oct 18 14:13:55 2007
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, Martin.Cochran@Colorado.EDU
In-Reply-To: <E6CBAD7F-264C-4A61-B35A-7F52D5B7DA23@colorado.edu>
Date: Sun, 14 Oct 2007 18:48:53 +1300
Martin James Cochran <Martin.Cochran@Colorado.EDU> writes:
>This might work, although 90% of the steps seem to unnecessarily (and
>perilously) complicate the algorithm. What's wrong with starting with input
>SALT || PASSWORD and iterating N times, where N is chosen (but variable) to
>make brute-force attacks take longer?
Or just use PBKDF2, RFC 2898. It does what's required, has been vetted by
cryptographers, is an IETF standard, has free implementations available, ...
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
