Re^3: SaltedDigest Salt?

Value of salt is that it prevents attacker from creating rainbow tables,

It may prevent them from compromising all the accounts quickly, but it certainly does not prevent them from targeting selected accounts.

If the have both the hash and the salt, it becomes a matter of cpu cycles, and with AWS and other selling those so cheaply, it is just a matter of how much they are prepared to spend.

Value of salt is that it prevents attacker from creating rainbow tables,

I fail to see why? If you've been compromised, you surely need to change all the pass-phrases. At which point you have to rehash anyway.

I'm not saying a constant secret salt is a perfect solution, just convenient and relatively safe if done properly.

But then, there is no "perfect solution".

With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

The start of some sanity?

Comment on Re^3: SaltedDigest Salt?

Replies are listed 'Best First'.
Re^4: SaltedDigest Salt? by zwon (Abbot) on Feb 08, 2012 at 14:58 UTC
prevent them from compromising all the accounts quickly No, it prevents them from quickly finding accounts with weak passwords certainly does not prevent them from targeting selected accounts. If the have both the hash and the salt, it becomes a matter of cpu cycles, and with AWS and other selling those so cheaply, it is just a matter of how much they are prepared to spend. Oh, really? Could you estimate how much it will cost to crack 16 characters random alphanumeric password (let's assume we're using SHA512)? And how many CPUs do I need if I want it this life? Maybe CPU cycles not exactly the right thing in this case.	[reply]
Re^5: SaltedDigest Salt? by BrowserUk (Patriarch) on Feb 08, 2012 at 18:45 UTC
Start here and read to the end of the subthread. Then read about bit-slicing, and vectorisation & parallelisation. And when you think you're safe because those references all talk about Windows password schemes and piddly little 64-bit md5 hashes, go read about how a couple of hundred dollars spent on Field Programmable Gate Arrays make tackling your SHA512 hashes a realistic prospect. With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday' Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error. "Science is about questioning the status quo. Questioning authority". In the absence of evidence, opinion is indistinguishable from prejudice. The start of some sanity?	[reply]
Re^6: SaltedDigest Salt? by zwon (Abbot) on Feb 09, 2012 at 02:27 UTC
Maybe you should have follow these links yourself first. The only related piece of data I found there is that guy cracked 6 characters SHA1 hashed password in ~~2 days~~ 49 minutes, which doesn't even make me feel pity for SHA1. And how did you get from FPGA link that it makes possible to crack SHA512?	[reply]
Re^7: SaltedDigest Salt? by BrowserUk (Patriarch) on Feb 09, 2012 at 04:32 UTC
Re^8: SaltedDigest Salt? by zwon (Abbot) on Feb 09, 2012 at 13:27 UTC
Some notes below your chosen depth have not been shown here