Re: Putting passwords in a properties file?
Dave Searles wrote:
Arne Vajh?j wrote:
Dave Searles wrote:
markspace wrote:
Dave Searles wrote:
It seems to me that if you have the hash and the salt, and know the
algorithm for convolving the password with the salt, then you can
still carry out a dictionary attack.
A dictionary attack pre-computes the hash, and then just scans the
password file for a simple string match. The salt defeats this,
because each bit in the salt doubles the storage needed for the
dictionary.
<http://en.wikipedia.org/wiki/Salt_%28cryptography%29>
You're right in that if the password itself is weak and could be
guessed, then all bets are off.
As Tom explained, the salt does not make any single password harder
to crack, but it does slow down an attack aimed at getting all (or
the first) dictionary-vulnerable password.
I was thinking in terms of protecting a particular targeted account
(yours, say, or the superuser account), while you two were apparently
thinking more of protecting all of the accounts in some statistical
sense.
No no no.
Whaaat? Nonsense.
It is true.
The use of salt makes all dictionary attacks more difficult, because
it invalidates pre-calculated dictionaries.
Moving the hashing of the dictionary out of the loop only occurs when
there's a loop (multiple passwords being attacked) to move it out of.
It's that move that salting makes impossible.
It is:
no salt =>
for username, hashedPassword in passwordFile:
word = lookup_in_internet_database(hashedPassword)
print username, word # pwned!
same salt for all users =>
for word in dictionary:
hashedWord = hash(salt, word)
for username, hashedPassword in passwordFile:
if (hashedPassword == hashedWord):
print username, word # pwned!
different salt for each user =>
for word in dictionary:
for username, salt, hashedPassword in passwordFile:
hashedWord = hash(word, salt)
if (hashedPassword == hashedWord):
print username, word # pwned!
Arne