[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] PasswordDigest in Username profile
> I don't understand your comment. Why would SHA-1( password + nonce + created ) be > "harder for crackers" than SHA-1( nonce + created + password )? If I were doing a brute-force attack, I'd have to do the whole SHA1 operation for p/n/c for each guess. If the format is n/c/p, then I can compute n/c, save the digest state, and then only "restart" the hash with each password guess. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]