Clark Morris wrote: >Would you mind explaining further what unsalted passwords are?
It's not unsalted passwords, it's unsalted hashes. The "salt" means "added entropy" (randomness). For example, when the password for [email protected]<mailto:[email protected]> is hashed, you might add "[email protected]" to the hashing process. That means that if Clark's password is IBM and my password is IBM, the hashes aren't the same. The way that these unsalted hashes are cracked is by hashing common words and comparing. So if "IBM" hashes to "CF34D038" (yes, it would be longer, but) and they find "CF34D038" in the list of stolen hashes, they know they've found a password of "IBM". If the stolen data includes the userid/hash pairs, they now know that the userid with that hash has a password of "IBM". If the passwords were salted, then even knowing that "[email protected]" was the salt for that account doesn't help (much), because now you have to hash every password you're trying against "[email protected]". This is why unsalted=bad, as is using the same salt for all the passwords. Does this make sense? -- ...phsiii Phil Smith III [email protected]<mailto:[email protected]> Voltage Security, Inc. www.voltage.com<http://www.voltage.com/> ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
