Topic: [IDEA] hashing badge (Read 710 times)
...i meant to make a humorous comment ><
i personally dont like the idea: Why giving a hint what kind of password there is in the password dump some kiddy just ripped? 
as DeathAndTaxes explained the bread and butter of a strong crytography is the algorithm along with salt, and of course with bcrypt you wouldn't have enough computing power to crack all the hashes in his password database.
I think this could be a great idea for the bitcoin community as we always wonder, what site uses to hold our passwords safe.
Because in strong cryptography the algorithm should never be considered a secret. The secret is the secret and it doesn't matter if the attacker knows everything else. One should assume the attacker already knows everything but the secret.
A smart hacker can easily determine the algorithm anyways. Simply locate a known account from the password dump. You have the plaintext & the hash. Determining the algorithm is trivial.
For example, our site uses bcrypt (workload 10) with a random 128 bit per record salt.
Here is an example password hash (bcrypt includes salt and algorithm version in the hash output)
You have the algorithm and the salt; everything you need to crack the password.
Still you will NEVER (not today, not before the sun burns out) brute force that password. Hell if you do I'll pay you $1,000.
A smart hacker can easily determine the algorithm anyways. Simply locate a known account from the password dump. You have the plaintext & the hash. Determining the algorithm is trivial.
For example, our site uses bcrypt (workload 10) with a random 128 bit per record salt.
Here is an example password hash (bcrypt includes salt and algorithm version in the hash output)
Quote
$2a$10$X2/v9/FO2.0DIE0dVkT6x.LvyrWPZv/.Tpf/O8Q67ufthCNdYx7LO
You have the algorithm and the salt; everything you need to crack the password.
Still you will NEVER (not today, not before the sun burns out) brute force that password. Hell if you do I'll pay you $1,000.
i personally dont like the idea: Why giving a hint what kind of password there is in the password dump some kiddy just ripped?
I was watching a video and the host was talking about how websites should have badges to tell what they use to hash the password with, like "bcrypt","SHA-1","md5" and if they use a salt. I think bitcoins could greatly use this, I am going to put it on my new bitcoin related site. Just wanted see people's thoughts on this.
BTW: if someone wants to make a site with api that can detect the hashing function used and if the salt is good enough, anyone can take that idea.
BTW: if someone wants to make a site with api that can detect the hashing function used and if the salt is good enough, anyone can take that idea.
Jump to: