lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Dec 2014 11:31:51 +0800
From: Ben Harris <>
Subject: Re: [PHC] How important is salting really?

On 12 December 2014 at 11:13, Peter Maxwell <> wrote:

> If commonly chosen passwords have an incidence of, say, 0.5% in a database
> (not unreasonable from what I can tell), there is a suitably large number
> of hashes in the database, and the work involved in calculation of a single
> hash is high then it might be of use.  For example, a database with 1m
> password hashes implies around 5k duplicates of each of the very most
> common passwords; if those aren't salted then an attacker can both reduce
> their work commitment by the number of duplicates but also readily identify
> them a priori as weak passwords.  It does however require the work-per-hash
> to be rather onerous indeed.
> There may be a more subtle argument to be made here involving frequency
> distributions of passwords but I'm far too tired at the moment to advance
> it.
Back of the envelope for birthday collision.
Random password with 32-bit entropy (~6 alpha-numeric) - 77 thousand
passwords = 50% chance of duplicate
Random password with 48-bit entropy (~8 alpha-numeric) - 20 million
passwords = 50% chance of duplicate
Random password with 64-bit entropy (~11 alpha-numeric) - 5 billion
passwords = 50% chance of duplicate

And from (

    4.7% of users have the password password;
    8.5% have the passwords password or 123456;
    9.8% have the passwords password, 123456 or 12345678;
    14% have a password from the top 10 passwords
    40% have a password from the top 100 passwords
    79% have a password from the top 500 passwords
    91% have a password from the top 1000 passwords

Critically, 0.18% of users use 99.6% of the passwords in the database
leaked in that article.

Content of type "text/html" skipped

Powered by blists - more mailing lists