|
|
Security Basics
Hashing passwords Jun 11 2012 05:33PM haZard0us (hazard0us pt gmail com) (3 replies) Re: Hashing passwords Jun 11 2012 05:55PM Ansgar Wiechers (bugtraq planetcobalt net) (2 replies) Re: Hashing passwords Jun 11 2012 06:32PM Rory Browne (rbmlist gmail com) (1 replies) RE: Hashing passwords Jun 12 2012 01:54PM Liam Randall (Liam Randall gigaco com) (1 replies) Re: Hashing passwords Jun 12 2012 05:39PM martin mngoma gmail com (1 replies) Re: Hashing passwords Jun 12 2012 06:30PM Kai Wirt (u-turn1 gmx de) (2 replies) Re: Hashing passwords Jun 12 2012 11:07PM Kurt Buff (kurt buff gmail com) (2 replies) |
|
Privacy Statement |
> A good discussion on the difference between a cryptographic hash and a
> password storage hash is at
>
> https://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-s
ecurity/
There's one point with which i don't agree. While it is true, that salt doesn't help you
against dictionary or brute-force attacks one should still use salt. Basically there
are two ways to crack passwords. The first one starts by guessing passwords
and see if the guess is right. The second way is to try to invert the algorithm used
to generate the entries in the password file (using rainbow tables for instance).
Making the password algorithm slow makes the first type of attack infeasible, using salt
the second.
Kai
--
"They that give up essential liberties to obtain a little temporary safety deserve neither liberty nor safety."
Bemjamin Franklin
PGP Fingerprint: 8416 F8F7 4E84 0500 351B 435D 8A2D 5545 3D36 FD29
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (OpenBSD)
iF4EAREIAAYFAk/Xc6gACgkQ0CtbV8QZt1K2twD+LaJU+hgoFAszypWgowQzccEb
hdxQKiOxdMDjq9apMrgA/0B9lHzV89h4zxmtxFbzP63GUVbCnlm4T8sy1t4jJpA9
=eKnu
-----END PGP SIGNATURE-----
[ reply ]