alt Hacker NewsIf the hash changes after every character, doesn't that make it possible for someone to determine your password one character at a time if they know what each hash was?
I'm guessing that wasn't in the threat model at the time.
Replies
qnleigh • yesterday at 7:19 PM
Yeah this reduces the time required to crack a password from
(# available characters) ^ (password length)
to
(# available characters) * (password length).
If you were patient you could crack someone's passwords by hand.
Hmm. Let's say you have 64 possible characters you can use in a password and four different images. You look over someone's shoulder and see that they go "RGBYYBRYG".
What this means is that you can now reduce your search space to approximately 16^9 passwords instead of 64^9 passwords. Which is probably very helpful if you have stolen the password hash, but not if you have to guess it by entering the password manually.