549
NIST proposes barring some of the most nonsensical password rules
(arstechnica.com)
This is a most excellent place for technology news and articles.
With the hash one, it doesn't look like that could be exploited by an attacker doing the bad hashing themselves, since any collisions they do find will only be relevant to the extra hashing they do on their end.
But that encryption one still sounds like it could be exploited by an attacker applying more encryption themselves. Though I'm assuming there's a public key the attacker has access to and if more layers of encryption make it easier to determine the associated private key, then just do that?
Though when you say they share the same secret, my assumption is that a public key for one algorithm doesn't map to the same private key as another algorithm, so wouldn't cracking one layer still be uncorrelated with cracking the other layers? Assuming it's not reusing a one time pad or something like that, so I guess context matters here.