Hacker News new | ask | show | jobs
by extraduder_ire 85 days ago
If the hash changes after every character, doesn't that make it possible for someone to determine your password one character at a time if they know what each hash was?

I'm guessing that wasn't in the threat model at the time.
2 comments
orthoxerox 85 days ago
Hmm. Let's say you have 64 possible characters you can use in a password and four different images. You look over someone's shoulder and see that they go "RGBYYBRYG".

What this means is that you can now reduce your search space to approximately 16^9 passwords instead of 64^9 passwords. Which is probably very helpful if you have stolen the password hash, but not if you have to guess it by entering the password manually.

link
extraduder_ire 84 days ago
Makes sense. I was under the impression there were more than 4 outputs based on what you entered. (I've seen a similar setup that shows two hex digits)
link
qnleigh 85 days ago
Yeah this reduces the time required to crack a password from

(# available characters) ^ (password length)

to

(# available characters) * (password length).

If you were patient you could crack someone's passwords by hand.

link