 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On 07/23/2013 11:16 PM, Bill Horne wrote: > the hashes allow a "Dictionary attack", where they just run every word > in the dictionary through a hash function, and see what matches. It depends. Unsalted hashes are vulnerable to dictionary attacks with rainbow tables. But the right (non-Microsoft) way to do it is to prepend a random salt to every password before hashing it. Save the salt in the clear along with the hash. When you want to authenticate, take the offered password, prepend the salt, hash it, and check against the saved hash. Now if two different people have "password" as their matching passwords, the hashed versions still won't match because the salts will still be different. If the salt (or nonce) is, say, 32-bits, you have just multiplied the needed size of the rainbow table by 4-billion. Use a bigger salt and the needed rainbow table can be universes-bigger. -kb
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
