I just saw the new release announcement and I had an idea.
What if, in addition to sorting the hard to compute hash for every password, we will also store the sha 1 hash of the first 5 characters ofthe password's sha1 hash? Wouldn't this allow us to quickly rule out 99% of passwords, thereby defending against dos attacks, while atthe same time not letting an attacker who obtained the hashes to get the passwords?
I'm not a security expert, just brainstorming.
Thanks,
Ram.
--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
For more options, visit https://groups.google.com/groups/opt_out.
What if instead of calculating the PBKDF2 hash of the password, we'll calculate the PBKDF2 hash of its SHA1 hash? Then the time of checking passwords wouldn't depend on their length, and we wouldn't even have to place a limit of 4096 characters on passwords-- An attacker could try a 1MB-long password but it would slow us down the same amount as trying "123456" would.
Florian, I'm not sure that you read my message carefully enough. I'm not proposing to reduce the time that PBKDF2 takes to hash.
--
You received this message because you are subscribed to a topic in the Google Groups "Django developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/iuSE5Y4R3hg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-develop...@googlegroups.com.