Mark Mielke wrote:
> Svenne Krap wrote:
>> Mark Mielke wrote:
>>> Svenne Krap wrote:
>>>> More two or even three different hashes with different
>>>> collion-points will strongly increase the security.
>>> No it doesn't unless you are thinking about a security through
>>> obscurity argument
> Your logic is invalid - the best quality would be to not use a hash at
> all, and store in plain text, or ROT-13. Then you will have no
> collisions. If you truly believe more bits are better, don't use a
> hash to start with.
>
Ooops, went offlist by a wrong click. Putting it back onliste
I am aware that plain text (or any 1:1 mapping) has no chance of
collision, but on the other hand if the box is compromised it gives an
easy target for stealing passwords (and a lot of users use the same
passwords a lot of places).
I believe that hashing through one hash function is an acceptable
compromise between collisions (i.e. people get in with the wrong
password) and password safety (evil hacker cannot read passwords) given
you deploy anti rainbow table meassures.
I would still prefer two hash functions as they do add a better
safeguard towards collisions (the gentoo distribtion actually hashes the
files by three different algorithms SHA1, SHA256 and RMD160) - i would
be inclined to use three hashes too, if they were instantly available.
Svenne
