Hacker News new | past | comments | ask | show | jobs | submit login

But if your password for foo.com is 10,000 rounds of PBKDF2-SHA256(foo-hunter2-XYZ) and so on, this is extremely effective.



Yeah that would be nice. I actually think browsers should have this as a feature.

But the problem is that not all websites accept long passwords. My bank wouldn't take longer than 8 characters and doesn't even have a second factor auth.

Office 365 wouldn't accept more than 16 characters. I think it was Paypal who wouldn't take more than 10.


> My bank wouldn't take longer than 8 characters

Ugh, that is seriously infuriating. Of all the websites I have accounts with, that's the top of my "Shit I care about" list.


Be happy, one of my banks has a 6-digit numeric PIN (I shit you not) as their "security".


Banks also lock the accounts after 3 failed attempts though. The short passwords are to avoid having to deal with phone calls that go something like, "Hello, I forgot my password."


Overlooking 6 characters vs 20 over a shoulder is must easier though.


Only as long as you can keep your permutation process secret.

The problem with using any standard algorithm like that is that the algorithm becomes your password.


> The problem with using any standard algorithm like that is that the algorithm becomes your password.

That's not true at all. The press released linked in this thread, for example, is very open that they use 100,000 rounds of PBKDF2-SHA256 to encrypt their passwords. That's a very standard algorithm. The security it provides is not its obscurity, but rather that the only way to check against an output hash is the naive brute force method which takes a long time - impractically long for attackers to try to brute force.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: