On Jul 30, 2009, at 11:43 PM, Bottiger wrote: >> Dictionary attacks work for short >> passwords, but are impractical against longer passwords. A password >> using letters, numbers and a few special characters carries in excess >> of 6 bits of information per character. 10 bytes of password plus 10 >> bytes of random salt gives us 120 bits total, for a dictionary space >> of 2^120 hashes. > >> On the other hand, a hash of a >> single deterministic transform of each password requires one hash per >> password. > > This entire argument is wrong because the salt is in plaintext and > available to the attacker when the DB is compromised. You are not > increasing the search space when you add a salt in a rainbow hash > attack because the attacker already knows the salt. If you want to > make the search space larger, you need to increase the size of the > password **prior** to hashing, not after it is hashed.
Better passwords are more secure, yes. Making a password bigger by means of a deterministic transform of a short password is of no help whatsoever (unless you keep the transform a secret, of course, but nobody is proposing that). If the attacker knows (by reading the web2py source) that you're, say, concatenating the base password three times, then he knows that you haven't increased the password space by even one entry: there's a 1:1 mapping between base passwords and transformed passwords. That's the problem. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
