Jonathan Yu writes: > It's my understanding that the margin by which storing a hashed > password without a salt is better is related to its length. It's > harder to calculate/store SHA-512 hashes versus SHA-1, right? I mean, > takes a lot more time & space to construct rainbow tables, and thus > could be infeasible to generate.
That fits with my understanding, but I make no claims to be a crypto expert. I should probably state that more strongly: don't trust anything I say about crypto. > On the other hand, criminals and governments that wish to crack data > would potentially have access to lots of resources, like lots of disk > space and processing power, so that point is moot. I understand that cryptographers use the term "well-funded organisation" or "WFO" when discussing such scenarios. (An recent improvement on attacks against SHA-1 reduced the search space for construction of two distinct documents with the same hash to 2**52 hashing operations. That's considered to be within reach for a WFO, though 4 quadrillion SHA-1 hash operations is still a non-trivial undertaking.) The thing is, rainbow tables are *large*, and every additional bit you want to consider in the search space makes them larger still. Suppose that an unsalted rainbow table for a particular hash and search space is a terabyte. (That seems to be about right for readily-available precomputed rainbow tables at the moment.) Now consider concatenating a 32-bit salt (from a high-entropy source) to each password. An equivalent rainbow table which covers this *new* search space would be 4 billion times bigger, or something like 4 zettabytes. Noone knows how to build a storage system with that much capacity, no matter how WF the O. -- Aaron Crane ** http://aaroncrane.co.uk/