On Dec 11, 2012, at 8:12 PM, Ken Dibble <[email protected]> wrote:
> Wait a minute. There's no such thing as a free lunch.
>
> Assuming gensalt() produces a unique random salt each time, then the result
> of:
>
> bcrypt.gensalt(10)
>
> must have been placed into some kind of persistent storage associated with
> the user's login. So where is it? And how do we back it up? And why is this
> better than storing the salt value in the table with the user's login?
It does not produce a single value. Rather, it produces 2^10 values,
and repeatedly re-hashes them with the original password in a way that the
result is a value that when re-hashed with the original password, re-generates
the hash.
I don't claim to understand it. I only know that I've tested it
repeatedly and it works.
> If it doesn't produce a unique random salt each time, then bcrypt would have
> to be brute-force testing some finite number of pre-determined salt values
> for each validation until it finds the one that matches or exhausts all of
> the possibilities. Maybe this is how the amount of time this takes gets
> controlled. But if there's a finite number of pre-determined salt values,
> even if that number is very large, then it can be cracked eventually.
Again, the mathematics of this is way above my understanding. But
that's the point I've been trying to make in this thread: there are people who
devote their entire lives to these concepts. There is no way that you or I in a
matter of a few hours will be able to outsmart them. And these aren't just
normal people, BTW. Since the stakes are so high when it comes to security,
these are the cream of the crop of PhDs in mathematics who are being paid
incredible sums of money to stay ahead of the bad guys, who are paying
incredible sums of money to other equally exceptional PhDs to defeat the
security experts. Anyone who thinks that in their spare time they can come up
with something that will be secure is truly delusional.
-- Ed Leafe
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
