It's my understanding that the margin by which storing a hashed password without a salt is better is related to its length. It's harder to calculate/store SHA-512 hashes versus SHA-1, right? I mean, takes a lot more time & space to construct rainbow tables, and thus could be infeasible to generate.
On the other hand, criminals and governments that wish to crack data would potentially have access to lots of resources, like lots of disk space and processing power, so that point is moot. Interesting idea though, using Google to reverse hashes... in that case you wouldn't even need to know the algorithm used to hash it! On Thu, May 21, 2009 at 5:44 AM, Aaron Crane <[email protected]> wrote: > Bill Ward writes: >> I didn't think that a salt was necessary with a one-way hash. > > Google makes even the best hash functions reversible for some inputs: > > http://www.google.com/search?q=5d41402abc4b2a76b9719d911017c592 > http://www.google.com/search?q=aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d > http://www.google.com/search?q=2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 > http://www.google.com/search?q=9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043 > > Storing a hashed password without a salt is only marginally better > than storing a cleartext password. > > -- > Aaron Crane ** http://aaroncrane.co.uk/ >
