Security Basics mailing list archives

Re: Hashing passwords

From: Kai Wirt <u-turn1 () gmx de>
Date: Tue, 12 Jun 2012 18:51:53 +0200

On Tue, Jun 12, 2012 at 02:17:11PM +0530, gold flake wrote:

A good discussion on the difference between a cryptographic hash and a
password storage hash is at

https://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/


There's one point with which i don't agree. While it is true, that salt doesn't help you
against dictionary or brute-force attacks one should still use salt. Basically there
are two ways to crack passwords. The first one starts by guessing passwords
and see if the guess is right. The second way is to try to invert the algorithm used
to generate the entries in the password file (using rainbow tables for instance).

Making the password algorithm slow makes the first type of attack infeasible, using salt 
the second.



Kai


-- 
"They that give up essential liberties to obtain a little temporary safety deserve neither liberty nor safety."

                                         Bemjamin Franklin

PGP Fingerprint: 8416 F8F7 4E84 0500 351B  435D 8A2D 5545 3D36 FD29

Attachment: _bin
Description:

Current thread:

Re: Hashing passwords, (continued)
- - - Re: Hashing passwords martin . mngoma (Jun 12)
    - Re: Hashing passwords Kai Wirt (Jun 12)
    - Re: Hashing passwords Kurt Buff (Jun 12)
    - Re: Hashing passwords Ansgar Wiechers (Jun 13)
    - Re: Hashing passwords Kurt Buff (Jun 13)
    - Re: Hashing passwords Alexander Klimov (Jun 13)
    - RE: Hashing passwords Mikhail A. Utin (Jun 13)
    - Re: Hashing passwords Kai Wirt (Jun 13)
  - Re: Hashing passwords Kai Wirt (Jun 11)
    - Re: Hashing passwords gold flake (Jun 12)
    - Re: Hashing passwords Kai Wirt (Jun 12)
- Re: Hashing passwords Jennifer Wachter (Jun 12)
  - Message not available
    - Re: Hashing passwords Jennifer Wachter (Jun 12)
    - RE: Hashing passwords Dave Kleiman (Jun 12)
- Re: Hashing passwords Leon Jacobs (Jun 13)