[nycphp-talk] Thoughts on encryption
Chris Snyder
chsnyder at gmail.com
Thu May 6 14:21:29 EDT 2010
On Thu, May 6, 2010 at 2:14 PM, Nicholas Ilyin <nick.ilyin at gmail.com> wrote:
> However, appending any plaintext to your password and hashing that, such as
> SHA(username+password+username) is useless from a mathematical standpoint as
> the username is actually known to a potential hacker. The way that hash
> functions work would mean that adding any additional bits which are known
> will not increase the security of your resulting hash.
>
The attacker would need to generate a custom set of dictionary attacks
that include the username, so it's not entirely useless.
If they have the password hash, they have the database and,
presumably, everything else on the server. There are no secrets from
that sort of attacker.
More information about the talk
mailing list