Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I was reading about PwdHash and it inspired me to create a little project where

ID: 656207 • Letter: I

Question

I was reading about PwdHash and it inspired me to create a little project where you input a master password and an easy to remember alias into a password hash, like bcrypt, and then you get an hash.

So far so good ; that hash should be pretty secure and no one should be able to guess my master password from it.

The problem is that this hash is not really a usable password. For example, website have all sort of requirements for password like not more than 20 characters, must contain symbol, number, lower case letter and upper case letter, must not start with a number, etc...

So : hash + requirements = usable password

But I have a concern. Is it possible that by applying the requirements to the hash in order to produce a usable password, I will lose some of the security that the hash produce?

For example, let's say the hash is 60 characters long and the password cannot have more than 20 characters. Is it bad to only take the 20 first characters of the hash? Would it be better to produce the 20 characters of the password combining together the 60 characters of the hash?

So the general question is :

How should I proceed to create a usable password from that hash? Do I have to worry?

Explanation / Answer

For a good hashing algorithm (and unless you've rolled your own hash, you're probably using a good enough one), all of the bits should be pseudorandom.

A 20 character password is indeed weaker than an 60 character password, but one 20 character password is equally secure as another if they're equally random. Combining a 60 character hash into 20 characters would not add more randomness than just taking the first 20 characters.

When it comes to password design, the main threats (strategic guessing of your password, brute force, trying your password against all of your online profiles) can be mitigated by just using a different, long, random password for each website. The level of randomness provided by truncating a hashing function is enough.

Related Questions

I was in the middle of implementing a CSRF protection mechanism for my server wh
Question #661498
I was instructed by my adviser to do my senior project as shown in this pucture
Question #2250068
I was instructed to write a Python program that will ask the user to enter 4 tem
Question #3553914
I was interested in finding (or if necessary developing) an XSLT equivalent for
Question #647883
I was interested in your thoughts around the use of ECC for a smart cards soluti
Question #3738621
I was just asking for help in explaining how each of the questions posted are th
Question #1995848
I was just asking for help in explaining how each of the questions posted are th
Question #2072411
I was just googling around to find a good definition of front-end developer and
Question #652027
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I was reading a section in my Cell Bio book regarding lamins and premature aging
Next
I was reading about a few studies on estimating functional connectivity between

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.