Security Basics mailing list archives
Re: Hashing passwords
From: Kai Wirt <u-turn1 () gmx de>
Date: Tue, 12 Jun 2012 18:51:53 +0200
On Tue, Jun 12, 2012 at 02:17:11PM +0530, gold flake wrote:
A good discussion on the difference between a cryptographic hash and a password storage hash is at https://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/
There's one point with which i don't agree. While it is true, that salt doesn't help you against dictionary or brute-force attacks one should still use salt. Basically there are two ways to crack passwords. The first one starts by guessing passwords and see if the guess is right. The second way is to try to invert the algorithm used to generate the entries in the password file (using rainbow tables for instance). Making the password algorithm slow makes the first type of attack infeasible, using salt the second. Kai -- "They that give up essential liberties to obtain a little temporary safety deserve neither liberty nor safety." Bemjamin Franklin PGP Fingerprint: 8416 F8F7 4E84 0500 351B 435D 8A2D 5545 3D36 FD29
Attachment:
_bin
Description:
Current thread:
- Re: Hashing passwords, (continued)
- Re: Hashing passwords martin . mngoma (Jun 12)
- Re: Hashing passwords Kai Wirt (Jun 12)
- Re: Hashing passwords Kurt Buff (Jun 12)
- Re: Hashing passwords Ansgar Wiechers (Jun 13)
- Re: Hashing passwords Kurt Buff (Jun 13)
- Re: Hashing passwords Alexander Klimov (Jun 13)
- RE: Hashing passwords Mikhail A. Utin (Jun 13)
- Re: Hashing passwords Kai Wirt (Jun 13)
- Re: Hashing passwords gold flake (Jun 12)
- Re: Hashing passwords Kai Wirt (Jun 12)
- Message not available
- Re: Hashing passwords Jennifer Wachter (Jun 12)
- RE: Hashing passwords Dave Kleiman (Jun 12)