lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 13 Dec 2014 08:23:52 +0800
From: Ben Harris <ben@...rr.is>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] How important is salting really?

On 13/12/2014 2:57 am, "Steve Thomas" <steve@...tu.com> wrote:
> Cool that part got cleared up. Also that "attack passwords before you get
the
> hash" is only theoretical because you probably don't know the hashing
algorithm.
> Is it MD5(pw), SHA1(pw), MD5(SHA1(pw)), MD5("deliciously-salty-" || pw).
>
Have a look at bitcoin brain wallets for a practical attack when a salt
isn't used. I've not seen if anyone has estimated the size of the lookup
tables in use in those attacks, but I've tested with some obscure and long
passwords and they are stolen in a second.

I get your point, but for the same reason 12bit salts are a thing there
aren't many hash combinations in practice (only based off my experience
using software, though I think WordPress has a server salt for the
passwords like your deliciously-salty).

Content of type "text/html" skipped

Powered by blists - more mailing lists