RE: Values to use for a salt?
From: Ton Geurts (geurts_at_vanveen.nl)
Date: 12/23/03
- Previous message: Marian Ion: "Re: Values to use for a salt?"
- Maybe in reply to: Craig Minton: "Values to use for a salt?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'secprog@securityfocus.com'" <secprog@securityfocus.com> Date: Tue, 23 Dec 2003 09:01:45 +0100
> I think (and I'm aware that I might prove wrong) that salt is for weak
> algorithms and weak passwords, set by regular users, not by a security
> administrator. But I would not let regular users set their own passwords,
> and use them for years ...
>
> Regards,
> Marian
For a dictionary attack the algorithm is irrelevant: the outcome is
calculated in advance. An attacker has time. A week or two extra to build
the hashed dictionary won't really matter. And I am not even talking about
government intelligence agencies (CIA, FBI, GCHQ, Mossad) with their
$10,000,000 Cray supercomputers.
A salt is needed more with weak passwords than strong passwords because weak
passwords can be found with a normal dictionary attack. But even for strong
passwords there is a case for salting. But even when you run my default
password '$3qRˆEt!' (pretty strong, especially because of the EURO sign)
through the algorithm: salted is safer because you cannot precompute all
strong passwords and salts unless you own a couple of those Crays.
Ton Geurts
BtW, if anyone thinks that the above is my real password: I'm a blond and I
am male, but I am not that stupid! My real password is
- Previous message: Marian Ion: "Re: Values to use for a salt?"
- Maybe in reply to: Craig Minton: "Values to use for a salt?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
