Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Dec 2012 13:43:25 -0700
From: havoc <>
Subject: Re: Intentionally Increasing Collisions in Password Hashing

On 12/13/2012 01:27 PM, Matt Weir wrote:
> Havoc,
>     Thanks for the response. I have a few questions/comments.
>> We know that in practice the opposite is usually true.
> So this statement made me pause a bit since it's my understanding a
> significant number of users re-use their passwords. By significant I
> mean enough that it's frequent enough to be worthwhile for an attacker
> to exploit. If you could point me to some research/studies/examples
> that's not the case I'd be very interested. For example two
> studies/experiments testing password reuse I can point to are:
> And there's all the empirical evidence I've seen such as how Twitter
> accounts were compromised after the Gawker breach.

Yeah, sorry, you're absolutely right. I originally wrote the first
paragraph as its contrapositive, so I meant to be denying that user's
didn't reuse their passwords (double negative), and I forgot to update
that part when I re-wrote it. It should have said "We know that in
practice this is usually true."


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.