Salting a password is meant, primarily, to help prevent what's known as rainbow attack. Networks of pc's have spent a bunch of computing time creating a database of MD5 hashes of all character strings of a certain length. So you can download a db of MD5 hashes of all 6 character strings with a character space of A-Za-z0-9 for instance. The simplest db's are just all lower case a-z character strings from 4 to 8 characters. Others are more complicated sets. When you snag someones one-way hashed password you simply do a lookup on your rainbow table and try to find the matching plain text string that created the hash.
The more complicated the space you are searching (upper and lower case plus numbers and special characters for instance) and password length (4 versus 6 versus 8) determine how difficult it is to create a db of hashes that cover that space. It also determines how big and cumbersome those dbs will be. Some hash tables are already in the many gb in size. Salting a password before it is hashed is a cheap way to greatly increase the length of the password and potentially the space it covers as well. If you have a salt of 20 characters with random bits of the odd part of the 8859-1 character set then the hash of even a simple password is going to be sufficiently complex enough to defeat most rainbow attacks. If a hacker does get your salt value it doesn't actually help them all that much. I could see scenarios where a smart set of hackers working on a high value target would be able to use the known salt value to decrease the search space some. But if you knew the 20 character string and knew it was tacked onto a 6 character user password you'd still have to go about calculating hashes of all 6 character + 20 known character strings which would take quite some time and you wouldn't be able to take advantage of any precompiled rainbow attack dbs. One other note on this bit is that people should start transitioning from MD5 to other one-way hashes such as SHA-1 as it turns out that there is a cryptographic weakness in the MD5 algorithm that renders it more predictable than originally thought. Judah On Wed, Jan 14, 2009 at 6:41 PM, <[email protected]> wrote: > does salting a hashed password really make a difference? Is the goal such > that if a hacker gets to the database they won't have the salt used to hash > the pw making it more difficult to crack the pw? Just curious... > > Thanks, > mike > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317976 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
