[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] thoughts on salted passwords within web applications?
- From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] thoughts on salted passwords within web applications?
- Date: Sun, 27 Jan 2008 20:20:42 -0800
On Jan 27, 2008 5:17 PM, Nicolae Namolovan <adrenalinup@xxxxxxxxx> wrote:
> But if having a rainbow table of 14 chars string is 64gigabytes, do
> you imagine what kind of rainbow table do you need for all possible 64
> chars strings ?
The tables will be indexed by plain text passwords, not by the hashed
versions. Unless you're going to force your users to memorize 64
character strings for passwords, the output hash length isn't going to
help.
> >going to use a botnet to build rainbow tables for it.
> I don't mean to be rude, why don't use a botnet to brute force any
> protection in the world, that's easy.
If you don't use salts, the botnet is going to crack all of your
passwords at once. If you do use salts, the botnet has to break them
one at a time.
Cheers,
Brian
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|