[TriLUG] don't understand salt
Michael Peters
mpeters at plusthree.com
Sat Jun 9 10:05:50 EDT 2012
On 06/09/2012 09:50 AM, Joseph Mack NA3T wrote:
> I assume if you have the salt, then you don't have to explore the 16bit
> space of the salt and you're back to rainbow tables. So it's not clear.
> Please elaborate.
Rainbow tables are extremely expensive to generate. This article talks
about generating an 8 character table with a graphics card in 5 days:
http://security.stackexchange.com/questions/3448/how-long-does-it-take-to-actually-generate-rainbow-tables.
And it only gets worse if you include non-alphanumeric or go with more
characters or use nested hashing.
Without a salt you just need 1 rainbow table for every length password.
So 5-10 rainbow tables and you're good to go.
But if each password has it's own salt then you need a 5-10 rainbow
tables *per-salt*. And with a database of millions of passwords (as-is
the case with linkedin) you won't be able to generate the rainbow tables
fast enough to be useful. So unless computing speeds make a giant leap
forward it's not practical.
--
Michael Peters
Plus Three, LP
More information about the TriLUG
mailing list