* On Wed, May 20 2009, Arthur Corliss wrote:
> On Wed, 20 May 2009, Jonathan Yu wrote:
>
>> Not totally pointless, of course, because it would still require
>> regenerating a rainbow table versus downloading one of them already
>> available. On the other hand, depending how popular your application
>> gets, this can be dangerous -- take for example Microsoft's Lan
>> Manager Hash algorithm, LMHash. Even though it is a specialized
>> algorithm, it became popular enough to make it feasible/useful to
>> create and distribute rainbow tables for. So your point is valid in
>> that case, and it never hurts security nor is it a big deal on
>> performance.
>
> I would suggest that the benefit of a static salt is marginal in best since
> many of these hash algorithms aren't exactly computationally intensive on
> today's hardware.
Yes, this is why you should use Bcrypt or something else designed for
hashing passwords.
You should be using Authen::Passphrase anyway, which makes this a
one-liner.
Before:
my $passphrase = Authen::Passphrase::SaltedDigest->new(
algorithm => 'SHA-256',
salt_random => 20,
passphrase => 'super secret',
);
After:
my $passphrase = Authen::Passphrase::BlowfishCrypt->new(
cost => 8,
salt_random => 20,
passphrase => 'super secret',
);
I believe A::P will cleanly handle mixed data (including data it didn't
create; it handles plenty of hash types), as well, so there is really no
reason to not migrate to this.
(FWIW, things like bcrypt make brute-forcing theoretically impossible.
On my LUKS disk, the key is strengthened with about 2 seconds worth of
computation. Assuming someone trying to break my password could get
a million computers, it would take them about 665 years to try all
possible 10-character passphrases. That puts breaking the encryption
out of the range of governments, not just some punk that hacked your
server.)
Protecting your users passwords like this requires no additional code,
so I don't see why you wouldn't do it.
Regards,
Jonathan Rockway
--
print just => another => perl => hacker => if $,=$"
