On Mon, 30 Aug 2004 17:11:06 -0600, Andrew Jorgensen <[EMAIL PROTECTED]> wrote: > So is the salt stored with the hash? If so, what's the point? If not, > where is the salt stored?
One possible reason is iterative hashes. Rather than hashing a password once, the system hashes it 1000 times. The user won't notice the delay when he/she/it types in his/her/its password, but if a hacker is doing a brute force attack, it will be much slower. However, if the hacker knows that the password is hashed 1000 times, he can hash his "brute force dictionary" (tm) 1000 times, and use the new "1000-times hashed dictionary" (tm) for the brute force attack. But, if there are salts, even stored right with the hash, he has to recreate the dictionary for each salt, and he will still have the delay of the 1000 hashes. Derek ____________________ BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
