Firewall Wizards mailing list archives
Passwords (was: Stanford break in)
From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Fri, 23 Apr 2004 15:16:56 -0400
Disk space is cheap, I can get a 250 GB IDE drive at Best Buy for $180.00 today. So 4 drives comes to ~1 TB for $800. Assuming a 'salt' of two printable characters (old Unix password if I remember correctly) that's realistically about 10,000 salts in the 'set'. Assuming a dictionary of 12,000,000 'common passwords' of 8 chars or less (100MB) I can precompute with the 10,000 'salts' in about 1 TB. Yeah, 4 250GB drives isn't 1TB after formatting and there are probably more than 10K 'salts', so maybe it's a 10M 'password' dictionary. Now what was that you said about precompute ;-). Bottom line: do NOT, repeat, do NOT put ANY confidence in 'salts' saving your A**. The best defense is to not be in anyone's dictionary in the first place. Pick a password carefully and change it regularly. Ben Nagy scribbles:
No, you got it pretty much right. I would put it like this - a salt is a _non-secret_ value. If you don't use a salt then an attacker can precompute a big file containing the hashes of common passwords. Then, when they get hold of a particular password hash they can just do a file lookup which is really really fast (this is probably the simplest example of the "time space tradeoff" in crypto). Using a salt means that they need to do the same hash computation, but including the salt - which means they can't precompute, so it takes longer to crack.
-- Dana Nowell Cornerstone Software Inc. Voice: 603-595-7480 Fax: 603-882-7313 email: DanaNowell_at_CornerstoneSoftware.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Passwords (was: Stanford break in) Dana Nowell (Apr 23)
- Re: Passwords (was: Stanford break in) Paul D. Robertson (Apr 23)
- Re: Passwords (was: Stanford break in) Dana Nowell (Apr 27)
- Re: Passwords (was: Stanford break in) Adam Shostack (Apr 23)
- Re: Passwords (was: Stanford break in) Paul D. Robertson (Apr 23)