Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 13 Dec 2012 13:43:25 -0700
From: havoc <havoc@...use.ca>
To: crypt-dev@...ts.openwall.com
Subject: Re: Intentionally Increasing Collisions in Password Hashing
 Algorithms



On 12/13/2012 01:27 PM, Matt Weir wrote:
> Havoc,
>     Thanks for the response. I have a few questions/comments.
> 
>> We know that in practice the opposite is usually true.
> 
> So this statement made me pause a bit since it's my understanding a
> significant number of users re-use their passwords. By significant I
> mean enough that it's frequent enough to be worthwhile for an attacker
> to exploit. If you could point me to some research/studies/examples
> that's not the case I'd be very interested. For example two
> studies/experiments testing password reuse I can point to are:
> 
> http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empirically/
> https://research.microsoft.com/pubs/74164/www2007.pdf
> 
> And there's all the empirical evidence I've seen such as how Twitter
> accounts were compromised after the Gawker breach.

Yeah, sorry, you're absolutely right. I originally wrote the first
paragraph as its contrapositive, so I meant to be denying that user's
didn't reuse their passwords (double negative), and I forgot to update
that part when I re-wrote it. It should have said "We know that in
practice this is usually true."


-- 
Havoc
https://defuse.ca/

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.