22.02.2013, 17:39
I have to agree that hashing 60 000 times is pretty much overkill, particularly when considering the CPU time it takes.
An 8-character long password combined with a salt of 16 characters has about 1.5*10^42 possible combinations, and with 32-character-long salt there are more than 4*10^69 possible combinations.
It is possible, however, that one gains access to both password and salt. This somewhat eliminates the protection provided by the salt against brute force attacks.
Anyways, in my opinion already salting the password and using a slower hash, like Whirlpool, should be safe enough.
And if you really want to hash many times, 50 times should be enough.
Please correct me if I'm wrong.
An 8-character long password combined with a salt of 16 characters has about 1.5*10^42 possible combinations, and with 32-character-long salt there are more than 4*10^69 possible combinations.
It is possible, however, that one gains access to both password and salt. This somewhat eliminates the protection provided by the salt against brute force attacks.
Anyways, in my opinion already salting the password and using a slower hash, like Whirlpool, should be safe enough.
And if you really want to hash many times, 50 times should be enough.
Please correct me if I'm wrong.