[Catalog-sig] Pull request to migrate PyPI to bcrypt
Jesus Cea
jcea at jcea.es
Tue Feb 12 17:41:56 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/02/13 14:38, Donald Stufft wrote:
> What were they hashed with? Even with a salt a fast hash is trivial
> to bruteforce for a large number of passwords in practically no
> time with trivial hardware.
Not if your salt has 256 bits of entropy.
Usual approach would be to use two salts: a personal salt per user,
stored in a different database of the hashed password (to reduce the
posibility of the same bug affecting both databases), and a global per
site salt, stored outside of the database.
Salts can be big. You can't not brute-force a 256 bit salt.
- --
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/_/_/_/
. _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQCVAwUBURpw1Jlgi5GaxT1NAQIryQP/c+q8cmOjfBCZbcVADDluU86Hkui62Hks
vHYzv7zg/XktNM9bDXKWM/tDPAUN/6NfmdTnJ0+n8dBWiFQC7MvNhGaUN6tLdO1Q
gfN6BjTLOFkt88fvEN9cSdqHOr0yFRr/VdCbLS08sMVAk9YYo14jAwKgWfrOcQ8p
3YMFR3BuskI=
=5yLc
-----END PGP SIGNATURE-----
More information about the Catalog-SIG
mailing list