On Thursday 08 April 2010 08:12:24 pm Toby Corkindale wrote: > On 08/04/10 22:49, Daniel Pittman wrote: > > ...but your lost database *also* exposed user account/password pairs, > > which can now be tried against other services, since people usually use > > the same weak password and username all over the place. > > .. if they are using sufficiently weak passwords, such that they're > present in a rainbow table? (Or do such rainbow tables contain every > single possible SHA-1 value, ie. from random-looking strings that happen > to correspond to the same sha-1 as the actual password?)
Or weak enough to brute-force. Not using salt reduces the difficulty of brute- forcing passwords by an order of magnitude (well, some number of orders of magnitude depending on the number of users you have) because you can make a single cracking run against *all users' passwords in parallel* rather than attacking each account individually. Andrew _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
