Comments on: e4b48fd541b3dcb99cababc87c2ee88f = elephant

by: gluino

Sat, 01 Dec 2007 07:26:59 +0000

>"A trapdoor algorithm runs very quickly in one direction (turning a password into an almost-unique string of seemingly random characters), but is almost impossible to run the other way, if you don’t have access to cubic kilometres of sci-fi nanotech."

I don't think the terms "trapdoor function" and "one-way function" are strictly interchangeable.
I think MD5 is considered a one-way function, while RSA encryption is considered a trapdoor function, because there is a trapdoor (i.e. shorcut, the key) which helps you reverse the encryption... decrypt.

Whereas in the case of MD5, there is no shortcut to restoring the plaintext from the hash, or even to get some other string that collides with the plaintext.

by: loseweightslow

Sun, 18 Nov 2007 12:27:07 +0000

I was always of the belief that the salt is stored in plain sight right next to the hashed password in the passwords file and that a new salt is generated each time a password is written to the file. That way if two users have the same password the hashed passwords always look different because each has a different salt. Most secure systems require a password to be changed every few months and for it to meet minimum length and character type composition with the time frame for password change chosen by how long it a brute force checker would take to get a small way through a brute force attempt. You can improve the security by making the hash calculation computationally long, like 4096 iterations of MD5. If it takes a second to calculate the hash then it will take a huge amount of processing power and many years just to get a tiny way though the key space of an 8 character password containing upper, lower and punctuation characters. Very secure.

by: EEK

Sun, 18 Nov 2007 04:48:22 +0000

I think it's worth mentioning that a Google Search for "e4b48fd541b3dcb99cababc87c2ee88f" now returns this blog as the first result...

by: rho

Sat, 17 Nov 2007 14:53:55 +0000

Salted passwords are good, but it isn't the Holy Grail. How long is the salt valid? A salt that lasts forever isn't forever unbreakable, and changing salts introduces all new problems.

By by and large, it's not a bad idea.

by: TimDurnan

Sat, 17 Nov 2007 13:02:11 +0000

And, of course, by "pretty-darn-difficult" I mean "pretty-darn-secure." Heh.

by: TimDurnan

Sat, 17 Nov 2007 12:59:33 +0000

I've always been a big fan of the "move one or both hands away from home row and type your passphrase via touch-type" method of passwords. As an example, if both hands are moved directly up one row, the passphrase danielrutter becomes eqh83o475534, and so on. This makes passwords that are both pretty-darn-difficult and pretty-easy-to-remember, and I've been using this technique for about seven years or so with great success.