Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

They can't do #4, as they don't have the old password. They'd either end up having to reverse the hash (with the same problems as #3), in which case why keep the crypt() hash? Or they could use the crypt() output as the input to the new hash, which wouldn't change the set of passwords accepted, and therefore wouldn't help at all.


Wrapping the output of crypt() should reduce how many passwords would be compromised if an attacker gained access to the password database. That's the whole point of using digested passwords instead of plaintext.


Not to mention it makes attacks against the hash slower.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: