[TriLUG] don't understand salt

Michael Peters mpeters at plusthree.com
Sat Jun 9 10:05:50 EDT 2012


On 06/09/2012 09:50 AM, Joseph Mack NA3T wrote:

> I assume if you have the salt, then you don't have to explore the 16bit
> space of the salt and you're back to rainbow tables. So it's not clear.
> Please elaborate.

Rainbow tables are extremely expensive to generate. This article talks 
about generating an 8 character table with a graphics card in 5 days: 
http://security.stackexchange.com/questions/3448/how-long-does-it-take-to-actually-generate-rainbow-tables. 
And it only gets worse if you include non-alphanumeric or go with more 
characters or use nested hashing.

Without a salt you just need 1 rainbow table for every length password. 
So 5-10 rainbow tables and you're good to go.

But if each password has it's own salt then you need a 5-10 rainbow 
tables *per-salt*. And with a database of millions of passwords (as-is 
the case with linkedin) you won't be able to generate the rainbow tables 
fast enough to be useful. So unless computing speeds make a giant leap 
forward it's not practical.

-- 
Michael Peters
Plus Three, LP




More information about the TriLUG mailing list