[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2124675781.276319.1418410622258.JavaMail.open-xchange@oxuslxltgw02.lxa.perfora.net>
Date: Fri, 12 Dec 2014 12:57:02 -0600 (CST)
From: Steve Thomas <steve@...tu.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] How important is salting really?
> On December 12, 2014 at 12:09 PM epixoip <epixoip@...dshell.nl> wrote:
>
>
> On 12/12/2014 5:58 AM, Krisztián Pintér wrote:
> > On Fri, Dec 12, 2014 at 2:39 PM, epixoip <epixoip@...dshell.nl> wrote:
> >> At what point did I demonstrate a lack of understanding / make a slight
> >> misstep?
> > at the point when you called "start attacking before knowing the hash"
> > nonsense. i know it was a misstep, because you referred to the
> > solution earlier (lookup tables).
>
> I see. To be clear, I didn't say it was nonsense, I said it made no
> sense. As in, the way it was worded made no sense to me. That's why I
> asked for clarification, which was met with insult. Now that you have
> clarified his intention, I understand what he was trying to say. But to
> me it still seems like a very awkward way to phrase it. Anyway, yes, I
> agree that this was a misstep.
>
Cool that part got cleared up. Also that "attack passwords before you get the
hash" is only theoretical because you probably don't know the hashing algorithm.
Is it MD5(pw), SHA1(pw), MD5(SHA1(pw)), MD5("deliciously-salty-" || pw).
And now for the other "salt table". For those that don't see the need for this,
it's because you probably haven't ran into a scheme that has lots of salt
collisions: crypt(3) (12 bit salt
http://en.wikipedia.org/wiki/Crypt_(C)#Traditional_DES-based_scheme) or
vBulletin (3 character salt). These cause massive amounts of salt collisions and
as such you have a table of unique salts "salt table". You run through the salt
table and remove them when they are no longer needed. If salts are large enough
there is little difference between a salt table and a list of all the hashes
with their salts.
Powered by blists - more mailing lists