lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Dec 2014 19:37:46 -0800
From: "Jeremy Spilman" <>
Subject: Re: [PHC] How important is salting really?

On Thu, 11 Dec 2014 19:13:34 -0800, Peter Maxwell <>  

> (C) may come back into play again, albeit marginally.
> If commonly chosen passwords have an incidence of, say, 0.5% in a  
> database (not unreasonable from what I can tell), >there is a suitably  
> large number of hashes in the database, and the work involved in  
> calculation of a single hash is high >then it might be of use.

I'm not sure if we can take the Adobe leak as a good example, but in that  
case their single-key ECB mode had a similar effect as an unsalted keyed  
hash, in that we can see duplicates, but can't run a dictionary attack.  
Apparently 1,911,938 out of 130m were '123456', and the Top 100 passwords  
were used by almost 6,000,000 accounts. [1]

Salting at least makes a big difference in the special case where you have  
a keyed hash with an un-leaked key.

[1] -
Content of type "text/html" skipped

Powered by blists - more mailing lists