[WEB SECURITY] thoughts on salted passwords within web applications?

euronymous minchia.lusardu at gmail.com
Mon Jan 28 19:50:01 EST 2008

Nicolae Namolovan wrote:
> I'm not sure you have understand what sha512->whirlpool->md5 mean.
> This mean, pass user password through sha512 function, you'll get a 64
> chars long hash, after pass this 64 long hash through whirlpool,
> you'll get another 64 long hash of previous 64 chars hash, and after,
> pass this second hash through md5, you'll get 32 long md5 hash.
> Maybe you should reread my previous post, not sure.
> But if having a rainbow table of 14 chars string is 64gigabytes, do
> you imagine what kind of rainbow table do you need for all possible 64
> chars strings ?
> And if you are realy paranoiac, you can mix salted passwords with
> multiple-times hashing, this will certainly make impossible restoring
> of the password with any resources..
>> going to use a botnet to build rainbow tables for it.
> I don't mean to be rude, why don't use a botnet to brute force any
> protection in the world, that's easy.
> On Jan 27, 2008 9:50 PM, Brian Eaton <eaton.lists at gmail.com> wrote:
>> On Jan 26, 2008 9:16 PM, Nicolae Namolovan <adrenalinup at gmail.com> wrote:
>>> Currently in my application I have hash function what is doing this %)
>>> sha512->whirlpool->md5
>> This is scary.  I don't mean to be rude, but I hope your scheme never
>> becomes popular and is never used to protect anything important.  If
>> your scheme does get popular, someone is going to use a botnet to
>> build rainbow tables for it.  What are you going to do then?  (Hint:
>> adding another hash isn't going to fix it.)
>> Does anyone have a recommendation for a really good open source
>> password authentication and storage system?
>> Cheers,
>> Brian
Hi guys...

I think we're missing the point here...
I mean...do you think that big online business enterprises like google, 
amazon, ebay loose time speaking about "which hash function we must use 
to store in a secure way passwords, tokens, whatever" ?

you just use sha2 or 512 and you're totally safe...

please read practical cryptography from bruce shneider, and tell me 

I think you can spent your time securing your assets in more useful ways 
than speaking on how many  digests must be chained...
anyway if you want something really powerful....use blowfish as openbsd 
do with system passwords...I think that 3 chained hash functions need 
more or less the same computational power...

Michele "euronymous"

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list