Date: Thu, 13 Dec 2012 13:43:25 -0700 From: havoc <havoc@...use.ca> To: crypt-dev@...ts.openwall.com Subject: Re: Intentionally Increasing Collisions in Password Hashing Algorithms On 12/13/2012 01:27 PM, Matt Weir wrote: > Havoc, > Thanks for the response. I have a few questions/comments. > >> We know that in practice the opposite is usually true. > > So this statement made me pause a bit since it's my understanding a > significant number of users re-use their passwords. By significant I > mean enough that it's frequent enough to be worthwhile for an attacker > to exploit. If you could point me to some research/studies/examples > that's not the case I'd be very interested. For example two > studies/experiments testing password reuse I can point to are: > > http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empirically/ > https://research.microsoft.com/pubs/74164/www2007.pdf > > And there's all the empirical evidence I've seen such as how Twitter > accounts were compromised after the Gawker breach. Yeah, sorry, you're absolutely right. I originally wrote the first paragraph as its contrapositive, so I meant to be denying that user's didn't reuse their passwords (double negative), and I forgot to update that part when I re-wrote it. It should have said "We know that in practice this is usually true." -- Havoc https://defuse.ca/
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.