> bcrypt.gensalt(10)
>
> must have been placed into some kind of persistent storage associated
with the user's login. So where is it? And how do we back it up? And why
is this better than storing the salt value in the table with the user's login?
It does not produce a single value. Rather, it produces 2^10
values, and repeatedly re-hashes them with the original password in a way
that the result is a value that when re-hashed with the original
password, re-generates the hash.
I don't claim to understand it. I only know that I've tested it
repeatedly and it works.
Okay. The "hash" string is actually only part hash. It is, in fact, a
parseable structure that contains elements indicating the specific
algorithm used, the "strength" value, the salt value (stored as "plain
text"*) and, finally, the actual hash of pwd + salt. The first three
elements of this structure are delimited and/or constant. See:
http://stackoverflow.com/questions/6832445/how-can-bcrypt-have-built-in-salts
So that being the case, if you steal the table containing these strings,
then you can parse out the salt and use it for a dictionary attack on
passwords. The advantage of the bcrypt system doesn't derive from not
having to store salts with user logins, it derives from the amount of time
it takes to run each iteration of the brute force attack, and the fact that
you can increase that amount of time as hardware gets faster.
* "plain text" for some value of "plain"; the cited example says the salt
is stored in 22 characters of "modified Base-64" which decode to a 16-byte
value. The point is that the number of characters is known and the encoding
mechanism doesn't require a private key to reverse, thus the salt is not
encrypted.
Ken Dibble
www.stic-cil.org
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
