2 comments

[ 0.44 ms ] story [ 18.5 ms ] thread
I am looking for ways to beef up my passwords. This was mainly conceived as an alternative to Passpack.

The idea is that hackers who obtain a server's hash do not expect the plaintext password to actually be a base64 encoded SHA512 hash. It also encourages salting to prevent password reuse.

What do you think?

Too much security?

Too time consuming?

Too awesome, must download GreaseMonkey script!

Security through obscurity. The hackers don't expect you to have a hashed password? So what? This is no different from salting.

Also, by adding a new function into your password hashing have you changed the cryptographic properties of the composed function? Have you formally proved that these new properties are as strong as the uncomposed properties? No? Then don't do it.

DON'T ROLL YOUR OWN CRYPTO, PEOPLE!

Composing functions counts as rolling your own, btw.