lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Dec 2014 12:57:02 -0600 (CST)
From: Steve Thomas <>
Subject: Re: [PHC] How important is salting really?

> On December 12, 2014 at 12:09 PM epixoip <> wrote:
> On 12/12/2014 5:58 AM, Krisztián Pintér wrote:
> > On Fri, Dec 12, 2014 at 2:39 PM, epixoip <> wrote:
> >> At what point did I demonstrate a lack of understanding / make a slight
> >> misstep?
> > at the point when you called "start attacking before knowing the hash"
> > nonsense. i know it was a misstep, because you referred to the
> > solution earlier (lookup tables).
> I see. To be clear, I didn't say it was nonsense, I said it made no
> sense. As in, the way it was worded made no sense to me. That's why I
> asked for clarification, which was met with insult. Now that you have
> clarified his intention, I understand what he was trying to say. But to
> me it still seems like a very awkward way to phrase it. Anyway, yes, I
> agree that this was a misstep.

Cool that part got cleared up. Also that "attack passwords before you get the
hash" is only theoretical because you probably don't know the hashing algorithm.
Is it MD5(pw), SHA1(pw), MD5(SHA1(pw)), MD5("deliciously-salty-" || pw).

And now for the other "salt table". For those that don't see the need for this,
it's because you probably haven't ran into a scheme that has lots of salt
collisions: crypt(3) (12 bit salt or
vBulletin (3 character salt). These cause massive amounts of salt collisions and
as such you have a table of unique salts "salt table". You run through the salt
table and remove them when they are no longer needed. If salts are large enough
there is little difference between a salt table and a list of all the hashes
with their salts.

Powered by blists - more mailing lists