[WEB SECURITY] thoughts on salted passwords within web applications?

Brian Eaton eaton.lists at gmail.com
Sun Jan 27 23:20:42 EST 2008


On Jan 27, 2008 5:17 PM, Nicolae Namolovan <adrenalinup at gmail.com> wrote:
> But if having a rainbow table of 14 chars string is 64gigabytes, do
> you imagine what kind of rainbow table do you need for all possible 64
> chars strings ?

The tables will be indexed by plain text passwords, not by the hashed
versions.  Unless you're going to force your users to memorize 64
character strings for passwords, the output hash length isn't going to
help.

> >going to use a botnet to build rainbow tables for it.
> I don't mean to be rude, why don't use a botnet to brute force any
> protection in the world, that's easy.

If you don't use salts, the botnet is going to crack all of your
passwords at once.  If you do use salts, the botnet has to break them
one at a time.

Cheers,
Brian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list