Full Disclosure mailing list archives
Re: Salted passwords
From: Valdis.Kletnieks () vt edu
Date: Mon, 10 Aug 2009 16:26:01 -0400
On Sun, 09 Aug 2009 20:14:57 EDT, T Biehn said:
Soliciting random suggestions. Lets say I have data to one-way-hash. The set has 9,999,999,999 members.
Actually, if you're using a 10-digit decimal field, you probably have 10**10 possible members - all-zeros counts too (unless there's *other* reasons zero isn't a legal ID). It's those little off-by-one errors that tend to get you. ;)
It's relatively easy to brute force this, or create precomp tables.
That's because you only have 10M billion members to brute force against.
So you add a salt to each.
A better idea cryptographically would be to fix the 10**10 member limit, so that the set *could* have a much higher possible number of members. Even staying at 10 characters, but allowing [A-Za-z0-9] (62 possible chars) raises your space to 62**10 or about 8.3*10**17 (or almost 10M times the difficuly). That's why most symmetric crypto algorithms use at least 64-bit or even larger keys, and even larger for RSA and similar public-key systems.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Salted passwords T Biehn (Aug 09)
- Message not available
- Re: Salted passwords T Biehn (Aug 10)
- Message not available
- Re: Salted passwords Valdis . Kletnieks (Aug 10)
- Re: Salted passwords T Biehn (Aug 10)
- Re: Salted passwords Lyal Collins (Aug 12)
- Re: Salted passwords T Biehn (Aug 10)
- <Possible follow-ups>
- Re: Salted passwords antisec (Aug 10)
- Re: Salted passwords T Biehn (Aug 10)
- Re: Salted passwords raid (Aug 10)
- Re: Salted passwords T Biehn (Aug 10)