On Jul 31, 2009, at 12:35 AM, Bottiger wrote: > > Again, you haven't taken the time to understand what I have said. > > What you've been complaining about is only valid if you use the same > salt for every password. > > Having a salt be a function of the password is not the same thing as > having the same salt for every password.
For all practical purposes, it is the same. The underlying problem is that there's a 1:1 correspondence between the base password and the salted password, so that only one rainbow table need be precomputed. > > On Jul 31, 12:31 am, Jonathan Lundell <[email protected]> wrote: >> On Jul 31, 2009, at 12:16 AM, Bottiger wrote: >> >> >> >>>> If the attacker knows (by reading the web2py source) that you're, >>>> say, >>>> concatenating the base password three times, then he knows that you >>>> haven't increased the password space by even one entry: there's a >>>> 1:1 >>>> mapping between base passwords and transformed passwords. >> >>> So far you have kept on ignoring the gist of the problem. If the >>> attacker has access to the salt, it doesn't matter whether or not >>> you >>> know the relationship between the password and the salt because you >>> already know the salt. The attacker could not care less about >>> whether >>> you used a random number generator or a function related to the >>> password. >> >>>> If the attacker knows (by reading the web2py source) that you're, >>>> say, >>>> concatenating the base password three times, then he knows that you >>>> haven't increased the password space by even one entry: there's a >>>> 1:1 >>>> mapping between base passwords and transformed passwords. >> >>> Can you please actually take some time to understand my previous >>> comments? You could use a random 10000000000 byte salt, and it >>> wouldn't increase your password space for that password. All the >>> attacker needs to do is this: >> >>> for candidate in permutations(alphanumeric_and_symbols): >>> if md5(candidate+salt) == hash: return candidate >> >>> This is the same brute force method that would be used when you >>> have a >>> completely random salt or a salt based on the password itself. >>> Again I >>> repeat, the attacker could not care less about whether you used a >>> random number generator or a function related to the password. >> >> The difference is that with a deterministic transform of the password >> (this includes static salt, or salt that's a function of the base >> password), the attacker performs your loop once and solves every >> password in his list. And the loop result can be precomputed into a >> rainbow table. >> >> With random salt, the attacker must perform the loop (and it's a long >> loop) once for every hash he wants to attack. And the loop result >> cannot (practically) be precomputed. >> >> OK? Deterministic transform means that one pass through the loop, >> precomputed, breaks all passwords in the permutation dictionary. >> >> Random salt means that one pass through the loop breaks *one* >> password >> *if* it's in the permutation dictionary. And it can't be precomputed. >> >> Again, it's no substitute for a strong password. But it helps. > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
