Bitcoin Forum

I was watching a video and the host was talking about how websites should have badges to tell what they use to hash the password with, like "bcrypt","SHA-1","md5" and if they use a salt. I think bitcoins could greatly use this, I am going to put it on my new bitcoin related site. Just wanted see people's thoughts on this.

BTW: if someone wants to make a site with api that can detect the hashing function used and if the salt is good enough, anyone can take that idea.

i personally dont like the idea: Why giving a hint what kind of password there is in the password dump some kiddy just ripped? ;)

Because in strong cryptography the algorithm should never be considered a secret.  The secret is the secret and it doesn't matter if the attacker knows everything else.  One should assume the attacker already knows everything but the secret.

A smart hacker can easily determine the algorithm anyways.  Simply locate a known account from the password dump. You have the plaintext & the hash.  Determining the algorithm is trivial.

For example, our site uses bcrypt (workload 10) with a random 128 bit per record salt.

Here is an example password hash (bcrypt includes salt and algorithm version in the hash output)

You have the algorithm and the salt; everything you need to crack the password. 

Still you will NEVER (not today, not before the sun burns out) brute force that password.  Hell if you do I'll pay you $1,000.

as DeathAndTaxes explained the bread and butter of a strong crytography is the algorithm along with salt, and of course with bcrypt you wouldn't have enough computing power to crack all the hashes in his password database.

I think this could be a great idea for the bitcoin community as we always wonder, what site uses to hold our passwords safe.

...i meant to make a humorous comment ><