OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] PasswordDigest in Username profile

> I don't understand your comment. Why would SHA-1( password + nonce + created ) be
 > "harder for crackers" than SHA-1( nonce + created + password )?

If I were doing a brute-force attack, I'd have to do the whole SHA1 
operation for p/n/c for each guess.  If the format is n/c/p, then I can 
compute n/c, save the digest state, and then only "restart" the hash 
with each password guess.

Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]