Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??

The salt (as in "a set of random bytes") is appended or prepended mixed into the password and the result is then hashed. Hashing is a one way function. Rainbow tables are hash-realpassword pairs and can be very fast in telling you the password given the hashed-password (as fast as a perl-hashtable=dictionary lookup-by-key, which is, in theory, O(1)). So, if your hashed-password contains a random set of values intermixed with the real password, then the given rainbow does not work anymore! Or at least you will need a different rainbow table for each possible salt (for example, 60^10 for a 60-characters-range, 10-byte-long salts). For these reasons, salts can be stored in your hacked db alongside the password and even in plain text. The cost for the hacker will be enormous. But of course not impossible.

there are a few points that need to be clarified, which I don't know. 1) Should the character set of the salt be the same as the password or what it should be, should it match the statistical distribution of the password? I guess it does not matter, but I am not an expert. 2) Is it really paranoid to store salts in a different db, even in a different host? 3) how about hashing them? I think that would work if salt length is random and character-range in 0-255, so as hacker not to be able to know if unhashing of salt succeeded.

What I am sure about is to never use the built-in RNG for encryption ops! It is looking for trouble big time. Use one of the so-called "cryptographically secure RNG".

bw, bliako


In reply to Re^2: Replacing crypt() for password login via a digest - looking for stronger alternative by bliako
in thread Replacing crypt() for password login via a digest - looking for stronger alternative by davebaker

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others perusing the Monastery: (8)
As of 2024-03-29 08:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found