lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMtf1Hviry89=VtFeNSnCuNR3xNxzKe4DOHbFsBaRzKD54wS=w@mail.gmail.com>
Date: Sat, 13 Dec 2014 08:23:52 +0800
From: Ben Harris <ben@...rr.is>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] How important is salting really?
On 13/12/2014 2:57 am, "Steve Thomas" <steve@...tu.com> wrote:
> Cool that part got cleared up. Also that "attack passwords before you get
the
> hash" is only theoretical because you probably don't know the hashing
algorithm.
> Is it MD5(pw), SHA1(pw), MD5(SHA1(pw)), MD5("deliciously-salty-" || pw).
>
Have a look at bitcoin brain wallets for a practical attack when a salt
isn't used. I've not seen if anyone has estimated the size of the lookup
tables in use in those attacks, but I've tested with some obscure and long
passwords and they are stolen in a second.
I get your point, but for the same reason 12bit salts are a thing there
aren't many hash combinations in practice (only based off my experience
using software, though I think WordPress has a server salt for the
passwords like your deliciously-salty).
Content of type "text/html" skipped
Powered by blists - more mailing lists