.. And even if you use the same salt for each password It'd still be a
time-consuming job since for each "clear" password in a rainbow table
you'd have to "recompute" the new hash based on the salt and scan the
rainbow table entirely for each record, now I totally agree that
adding a salt for each password (obviously it has to be predictable so
we can generate the hash again at log in time) will strengthen the
passwords greatly.
My suggestion is simply implement the new salting algorithm, move the
unsalted hashed password to a lookup table (which will be deleted
eventually), and "expire" the passwords for all your users, and on the
next logon, they will have to type the old one, then create a new one
and this time it'll be hashed with the proper salt, this way, even
though "compatibility" will break, we'll still have a means to
"correct" this.
The way I do it in pyforum for instance, is this:
passwd = "Hello World"
hashed_pwd_tmp = hashlib.md5(passwd).hexdigest()
hashed_passwd = hashlib.md5("%s%s" % (tmp_hashed_pwd,
passwd)).hexdigest()
So basically I prepend (or append, I don't have the code at this time)
the hashed password to the clear password and re-hash the whole string
again, breakable? of course, but exponentially harder.
Julio
On Jul 31, 12:35 am, Bottiger <[email protected]> wrote:
> Again, you haven't taken the time to understand what I have said.
>
> What you've been complaining about is only valid if you use the same
> salt for every password.
>
> Having a salt be a function of the password is not the same thing as
> having the same salt for every password.
>
> On Jul 31, 12:31 am, Jonathan Lundell <[email protected]> wrote:
>
> > On Jul 31, 2009, at 12:16 AM, Bottiger wrote:
>
> > >> If the attacker knows (by reading the web2py source) that you're,
> > >> say,
> > >> concatenating the base password three times, then he knows that you
> > >> haven't increased the password space by even one entry: there's a 1:1
> > >> mapping between base passwords and transformed passwords.
>
> > > So far you have kept on ignoring the gist of the problem. If the
> > > attacker has access to the salt, it doesn't matter whether or not you
> > > know the relationship between the password and the salt because you
> > > already know the salt. The attacker could not care less about whether
> > > you used a random number generator or a function related to the
> > > password.
>
> > >> If the attacker knows (by reading the web2py source) that you're,
> > >> say,
> > >> concatenating the base password three times, then he knows that you
> > >> haven't increased the password space by even one entry: there's a 1:1
> > >> mapping between base passwords and transformed passwords.
>
> > > Can you please actually take some time to understand my previous
> > > comments? You could use a random 10000000000 byte salt, and it
> > > wouldn't increase your password space for that password. All the
> > > attacker needs to do is this:
>
> > > for candidate in permutations(alphanumeric_and_symbols):
> > > if md5(candidate+salt) == hash: return candidate
>
> > > This is the same brute force method that would be used when you have a
> > > completely random salt or a salt based on the password itself. Again I
> > > repeat, the attacker could not care less about whether you used a
> > > random number generator or a function related to the password.
>
> > The difference is that with a deterministic transform of the password
> > (this includes static salt, or salt that's a function of the base
> > password), the attacker performs your loop once and solves every
> > password in his list. And the loop result can be precomputed into a
> > rainbow table.
>
> > With random salt, the attacker must perform the loop (and it's a long
> > loop) once for every hash he wants to attack. And the loop result
> > cannot (practically) be precomputed.
>
> > OK? Deterministic transform means that one pass through the loop,
> > precomputed, breaks all passwords in the permutation dictionary.
>
> > Random salt means that one pass through the loop breaks *one* password
> > *if* it's in the permutation dictionary. And it can't be precomputed.
>
> > Again, it's no substitute for a strong password. But it helps.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
