| A thought experiment... which probably doesn't change the big picture... but it's interesting... Suppose the initial implementation chose an ill-suited/fast/cheap hash (like MD5). The developer facepalms appropriately, changes course, and updates the implementation to support an expanded list of 4 hashes (1 old/weak/cheap hash and 3 new/strong/expensive hashes) - and you track the hash in the same way as the counter. Fast-forward a bit. Mallory eavesdrops, learns an example password, and starts a brute-force attack for the master password. He doesn't know which hash to use, so he has to try all of them. On the surface, the choice of hash is just 1 or 2 bits of entropy... but the resource impact on Mallory is driven by the (in)efficiency of the new hash(es), so it has an outsized impact. In anticipation of upcoming hardware, the developer issues annual updates with another (slower) hashing option (PBKDF2 w/100k iterations => 150k iterations => 200k iterations). This muddies the waters for new brute-force attacks. It's kind of a neat notion that the mere existence of a newer convention could retroactively raise the cost of a brute-force. Alas, it's not real. Because we're not just concerned that Mallory is an eavesdroper listening to a random password - we're concerned that Mallory is a website-operator who takes user-registrations. In that case, he can simply log the time when the user or password was created -- and thereby rule-out future hashing conventinos. |