> With 4K possible salts, you'd need a
> very large password file to have more than a very few collisions,

Definition of "very large" can vary. (alliteration intended).[...]
UCSD has maybe 60,000 active users.  I think "very large" is very common
in the University environment.

Different decade, different threat models, different scales.
It was probably pretty rare to have more than a
couple of hundred users on a PDP-11,
but even at 60-70 you're in birthday-collision range with a 12-bit salt.
But a website could easily have a million users in its password files,
and some systems like Yahoo and Hotmail have hundreds of millions,
though obviously they're not all separate Unix userids.
Sometimes it matters if they get stolen, sometimes not -
I don't care if someone discovers that
my New York Times web password is "password",
but I'd be really annoyed if my online banking password got cracked.

Salt is designed to address a couple of threats
- Pre-computing password dictionaries for attacking wimpy passwords
        These become harder to do online, pushing a dictionary of
        e.g. a million words to 4 billion, or ~32GB,
        an unreasonably large database for ~1975 crackers,
        though obviously you could use a manageable stack of tapes.
        Today that fits in my iPod, though it's still impractical
        to store an unsalted full-56-bit DES password dictionary.
- Detecting password collisions within systems, and between systems
        Testing a known password against 4096 salts
        took a long time at 0.5 MIPS, but it's faster at 4000 MHz.
        Large systems will have internal collisions,
        and the web makes it even more likely that somebody
        will have logins on insecure systems
        that might have the same password as their "secure" logins.
- Annoying then-hypothetical hardware DES crackers
        That's still useful against some designs today,
        though many designs, especially software,
        are table-driven in ways that aren't annoyed much.

There are probably times that salt is useful, and that password files
using hashes are useful, but I'd think that if you're going to do that
today you might as well use 64 or preferably 128 bits of salt,
and of course you might want a hash other than MD5 or SHA-1.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to