At 12:20 PM -0300 2/9/09, Bruno Fajardo wrote:
tedd,
I think that the problem of the "duplicated hashes" in the database
(in the case of two users using the same password) persists with a
constant prefix in the passwords. Although the random salt portion get
stored in the database concatenated to the hash, the attacker don't
know the string length of the salt, making the attack very difficult.
I've seen many duplicate password hashes in databases. Get a user
number in the thousands and it's almost certain you'll have duplicate
passwords. People just cannot create unique passwords.
The article discussed using a random salt to avoid this, I got the message.
I was just saying that even if there are duplicates, that doesn't
make solving the hash any easier -- it just focuses the attention of
the cracker to those duplicates. In some cases, I could see that as
another way to foil a cracker by deliberately having those records in
a database without a solution.
For example, I could have a duplicate hash appear five times in a 5K
population -- that certainly would become a focus for a cracker.
However, I could also have my code looking for that hash and never
provide a solution regardless of what the cracker does -- do you see
what I mean?
Granted, there are things here that are above my head -- I am not
passing myself off as an expert but rather as someone proposing ideas
to see if they pass or fail.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
