|
|
|
|
|
|
by incandenza
5220 days ago
|
|
|
But the "reduction" adds no benefit. You might as well just check the whole hash and eliminate the false positives, which have no purpose. (A false positive has no correlation with being "closer" to the real password.) All you're doing is shifting the time at which you check the password, from when the form is submitted, to when each key is pressed. You seem to be wanting to assume that a correlation between some subset of the input bits leads to a correlation between some subset of the hash bits. But that's exactly what a cryptographic hash function is designed to prevent. EDIT: The brute-forcing issue assumes that you treat form submissions and keypresses differently. In other words, why would you ignore a billion mismatches on keypresses and then raise an alarm on a few failed form submissions? You're just dividing the detection into two different phases, for no real purpose. |
|
|