Lee wrote:
So something like public key encryption is infeasible to crack because cracking it requires factoring large numbers. I suspect password hashes are in the middle ground.. Somebody like the NSA probably has a rainbow table for every popular password hashing scheme, so if they're interested they've already broken "$5$sdsd7f89sd7fsda89f7$9AO/NHJbfjwllqiFOOeq63ICdSDwaejGNa36IL6d4pC" (assuming it _is_ a valid password hash :)
That's where "salts", which I think were mentioned earlier in this thread, come in. For each user, a few extra characters (known as the salt) are generated and stored. On setting the password, the salt is added to the password, then that combination is hashed and the hash stored. On checking a password entered for authentication, the salt is looked up and added to the entered password, then that combination is hashed and compared against the original hash. If the password matches, and the same salt is used, the hashes will match.
A pre-generated rainbow table is useless, since it didn't append the correct salt to each password before hashing it. Even if the salt values are discovered, a separate table has to be generated for each user, since the salts will be different. So it's no easier than brute force anyway.
But against someone doing a brute-force or dictionary attack that hash might be safe.. Regards, Lee
Mark. _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
