> So that being the case, if you steal the table containing these
strings, then you can parse out the salt and use it for a dictionary
attack on passwords.
Good luck with that. The whole point is that to make such an
attack, even if possible, so terribly expensive and time-consuming that
it isn't worth the effort. Read up on what it would take to do what you
think it would take to reverse-engineer the salt from a table of bcrypt
hashes, and then tell me how vulnerable this is.
That's why I said, "The advantage of the bcrypt system doesn't derive from
not having to store salts with user logins, it derives from the amount of
time it takes to run each iteration of the brute force attack, and the fact
that you can increase that amount of time as hardware gets faster."
I recognize there are times when I have to accept recommendations from
"experts". But I never blindly trust "experts" or anybody else. In my 55
years of living I have encountered far too many incompetent people with
lots of letters after their names to believe that advanced degrees really
mean anything. Nor do I believe that the names of certain universities or
companies have any particularly reliable meaning. In the end, I only
believe in proven outcomes of what people have actually done. It would be
interesting to see statistics on the extent to which systems using bcrypt
have been hacked, as compared to systems using other methods that a year or
two ago were widely hailed as the absolutely, positively state-of-the-art
fail-safe. And then to look at the statistics again in two years or so,
when, presumeably, somebody else will claim to have a fail-safe solution
that is better than bcrypt.
I freely admit that "faith" means nothing to me. I am simply incapable of
having "faith", when faith means choosing to believe something is true in
the absence of proof or at least a sound path of logic indicating it is
reasonable to assume truth. The entire concept of "faith" makes no sense to
me at all, nor do I see any value in it. So maybe that's just my own
personality.
But I have a responsibility to carry out due diligence and do my best to
understand, at least in general terms, what is being proposed and how it
works, and what the costs and benefits are, before I make a decision. I
won't sluff off that responsibility to anybody else, no matter who they are
or what they claim their credentials to be.
Ken Dibble
www.stic-cil.org
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
