More issues with blind hashing Since we compute two hashes per authentication attempt, the running time and memory cost of each is reduced (a ~4x area-time product reduction) Yet some attacks may work on one of the hashes individually ... and even when not, the lower memory cost helps the attacker This can be repaired by revising scrypt to initialize V only when computing hash1, then reuse same V for hash2 Upgrading hashes to a stronger type is more costly or/and revealing Since the attacker will be able to use partial hashes and might not need salt2 anyway, the defender will want to make these as small as practical If taken "too far", this brings up its own difficulties, such as the need to handle occasional partial hash collisions, resulting in greater timing leaks (from extra hash2 computations when hash1 lookup returns multiple salt2 values) and greater susceptibility to DoS attacks