26 Apr
2007
26 Apr
'07
12:49 p.m.
> > Surprisingly, I've had students who had
been taught that ALL one-way
> > functions are completely and totally uncrackable.
>
> I don't find that surprising - which fact I find somewhat depressing.
On Thu, 26 Apr 2007, Joachim Thiemann wrote:
Actually, couldn't one argue that if the function
is crackable, it is
not one-way?
Good point.
I should have said "uncrackable systems using one way functions".
The function itself may be uncrackable, but the system using it is
crackable. The issue is not whether the original password can be
reproduced, but whether a working password can be generated.
Since users screw up, multiple attempts must be permitted. Rather than a
finite number of attempts followed by complete lockout, what I prefer is
an increasing delay amount. Each unsuccessful attempt can double the
length of time before another attempt is permitted. 2^^N seconds between
attempts will render brute force attacks futile, while still permitting
average users adequate opportunity to try a reasonable number of guesses.
But, there's prob'ly some basic flaw in that idea, also.