RE: [WEB SECURITY] thoughts on salted passwords within web applications?

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> I think the easiest way to defeat "Rainbow Tables" is just to hash
twice.

Er, no it isn't.  A double hash has a single output for each password,
which makes it a perfect candidate for a rainbow table.  

A salt provides two major advantages (especially if it has a reasonable
amount of entropy); the first is that it makes rainbow tables unfeasible
(as now you must pre-compute millions of possible hashes for each
possible password; a storage nightmare).  The second is that it makes
brute forcing a full userbase less efficient (without a salt, you can
simply compute a hash for a given password, then compare it to *all* the
hashes in the user database).

Martin...









----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]