-=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- (c) WidthPadding Industries 1987 0|527|0 -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=-
SoCoder -> Link Home -> Dev-News


 
HoboBen
Created : 23 August 2010
 

Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes



https://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
Speed is exactly what you don’t want in a password hash function.

 

Comments


Monday, 23 August 2010, 17:16
JL235
Another nice article. I'm going to use the randomly generated salt on a site I'm currently building.

I've heard about the time thing before, adding slowdown code to your password checks so it takes longer for the attacker to crack your system. But what makes this worse is that if you don't deliberately slow down your hashing code then the attacker can predict which hashing function your using and use this as a basis to attack you better.
Monday, 23 August 2010, 17:23
HoboBen
Hmm. And not just artificial slow downs, you want the slow down to be integral to the hashing algorithm (either by design (e.g. blowfish) or by repeating the hash)

I can't remember the second article I found, but since you can incrementally hash with some algos, a salt isn't enough.

Instead, hash the password/message, *then* add the salt, then hash twice more.

This is done not so much to protect passwords but to protect messages that have hash signatures.