This project has moved and is read-only. For the latest updates, please go here.

Password verification

Topics: Feature Requests
Feb 10, 2015 at 8:56 PM
Edited Feb 10, 2015 at 9:55 PM
I suggest that you incorporate a complex algorithm into the password verification process that requires several seconds to complete and could not work if recompiled without it. This would make dictionary lookups and other brute force techniques too time consuming to be useful. I would not mind having to wait a few seconds for password verification in exchange for knowing a password crack would not be easy.

Added suggestion - It does not have to be that all that complex, for example: "After entering your password, move your mouse randomly for twenty seconds."
Feb 11, 2015 at 3:06 AM
The extra work factor is already included, extremely generously I may add, by the repeated hash of the KDF.
Any other method / algorithm is doomed to fail since the source code is available to anyone, and the attacker can compile his attack code circumventing the complex algorithm or any other mandatory user interaction.