Re: password hashing and crypt()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Tue, January 22, 2008 7:43 pm, Chris wrote:
> Richard Lynch wrote:
>> On Sat, January 19, 2008 8:24 pm, Eric Butera wrote:
>>> I always make sure that I use a site specific salt which is just
>>> appended on the user supplied value.  I started doing that when I
>>> read
>>> that people had created huge databases of hashed values that they
>>> can
>>> just search on.  At least this way no matter what the password
>>> isn't a
>>> dictionary word.  As for if that really adds value in the end I
>>> can't
>>> say as I'm not really a security expert.
>>>
>>> Eg. hash('sha256', $input.$salt);
>>
>> The Bad Guys create humongous databases of every dictionary word
>> with
>> every possible salt...  So what salt you use does not matter...
>
> Sure it does. I could use my server name or the application's url, the
> current time, whatever I like and put all of that in the salt. There's
> no way they'll have that in their dictionary.
>
> As long as I store the salt I know how to compare it again later.

For the algorithms used by crypt(), the salt is IN the crypted value.

If the Bad Guy has the crypted value, they already have the salt.

They can maybe make a dictionary that is MUCH larger with every
possible salt, and do a simple comparison.

Or they can quickly write up a crypt()-based script that extracts the
salt and tries the Top 10,000 passwords for each.

Most Un*x systems come with /usr/share/dict/web2, Webster's second
edition dictionary.

It has only 235,882 words in it.

How many possible salts are there?

DES only lets you have 2 chars, a-z, right?

235,882 X 26 X 26 is not exactly a HUGE database of possible values to
have on hand.

The 1$ and 2$ salts are longer, but I suspect still not THAT much longer.

The salt only increases the difficulty by a factor of X, but doesn't
make it geometrically harder to crack -- So a Bad Guy only has to have
X times as much resources, for a relatively small X.

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux