Re: Very Secure Password Hashing using unknown salts.
Posted: Thu Jan 20, 2011 2:11 pm
Unless they have the code of course?
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
Both dictionary attacks (I'm not talking about bruteforce dictionary attacks which may be/are very SLOW) and ranbow attacks have precalculated tables of values. When salt is used, these table values do not match anymore.Benjamin wrote:What makes you say this?VladSun wrote:I think rainbow attacks or dictionary attacks are useless (or at least very hard to apply) for salted hashes even if the salt is known.
Considering "not having the code" (which is an obscure method IMHO) something like this will be much easier amd stronger:Jonah Bron wrote:Unless they have the code of course?
No, even with the code they cannot determine the salt length without knowing the actual length of the password.Jonah Bron wrote:Unless they have the code of course?
Erm, no, you don't have to update it. It makes no difference, as I did (try to) explain. There's absolutely no benefit from using this compared to simply keeping the salt in another column. Plus, for some hashes your salts are weak.Benjamin wrote:Interesting. I could have sworn I tested the salt lengths. I will need to update that so that the salt lengths are specifically based on the password length, or some other element specific to the password.
On the bright side it's still very secure. If you want to create an updated version feel free to take a crack at it.
If I can't crack this knowing the salt, it means your password was not in my dictionary, well done. You will note thought that salts are used to prevent attacks against weak passwords; strong passwords are secure even with weak hashing schemes.Benjamin wrote:If you can't crack this knowing the salt, how do you plan on cracking it without knowing the salt?