lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2124675781.276319.1418410622258.JavaMail.open-xchange@oxuslxltgw02.lxa.perfora.net> Date: Fri, 12 Dec 2014 12:57:02 -0600 (CST) From: Steve Thomas <steve@...tu.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] How important is salting really? > On December 12, 2014 at 12:09 PM epixoip <epixoip@...dshell.nl> wrote: > > > On 12/12/2014 5:58 AM, Krisztián Pintér wrote: > > On Fri, Dec 12, 2014 at 2:39 PM, epixoip <epixoip@...dshell.nl> wrote: > >> At what point did I demonstrate a lack of understanding / make a slight > >> misstep? > > at the point when you called "start attacking before knowing the hash" > > nonsense. i know it was a misstep, because you referred to the > > solution earlier (lookup tables). > > I see. To be clear, I didn't say it was nonsense, I said it made no > sense. As in, the way it was worded made no sense to me. That's why I > asked for clarification, which was met with insult. Now that you have > clarified his intention, I understand what he was trying to say. But to > me it still seems like a very awkward way to phrase it. Anyway, yes, I > agree that this was a misstep. > Cool that part got cleared up. Also that "attack passwords before you get the hash" is only theoretical because you probably don't know the hashing algorithm. Is it MD5(pw), SHA1(pw), MD5(SHA1(pw)), MD5("deliciously-salty-" || pw). And now for the other "salt table". For those that don't see the need for this, it's because you probably haven't ran into a scheme that has lots of salt collisions: crypt(3) (12 bit salt http://en.wikipedia.org/wiki/Crypt_(C)#Traditional_DES-based_scheme) or vBulletin (3 character salt). These cause massive amounts of salt collisions and as such you have a table of unique salts "salt table". You run through the salt table and remove them when they are no longer needed. If salts are large enough there is little difference between a salt table and a list of all the hashes with their salts.
Powered by blists - more mailing lists