发表新帖
发表新帖

Are hashed and salted passwords secure against dictionary attacks?

后端 未结
关注
5 1617
长发绾君心
长发绾君心 2021-01-17 23:24

I understand that salts make the same password hash to different values. However, salts are usually stored in the database with the password. So let\'s say I am attacker,

相关标签:
5条回答
  • 情深已故
    2021-01-18 00:05

    Nothing keeps an attacker from just guessing the password.

    Salts just make it harder by forcing an attacker to hash the dictionary on a per-user (effectively, per-salt) basis.

    To improve security, a tunable hash function is your best bet. Crank the time-per-hash up, making dictionary attacks impractical on whatever hardware your attacker is likely to have available.

    Basically, read this.

    0 讨论(0)
  • 长情又很酷
    2021-01-18 00:06

    Your logic is sound, but in reality, with enough computing power and time, there is no protection against dictionary/brute-force attacks.

    0 讨论(0)
  • 醉梦人生
    2021-01-18 00:08

    That's correct. If someone got the password material, a dictionary attack would be effective.

    To guard against this:

    • Make sure your passwords aren't subject to dictionary attacks.
    • Make sure your password file (/etc/shadow) is readable only by root.
    0 讨论(0)
  • 庸人自扰
    2021-01-18 00:13

    Without salt, the attacker can generate hashes for every word in his dictionnary then run the new dictionnary against your passwords list

    With salt, each password is hashed with a random string so even with the prior hashed dictionnary knowledge, he still have to re-create a new hashed dictionnary containing the salt for every different salt in your database.

    Just think of dictionnaries tables as a subset (small portion) of the rainbow tables. While rainbow tables can contain billions of entries, dictionnaries contain "known words", so maybe a few million entries at most.

    The reason why rainbow tables fail against salt is because the re-creation process would be "billions of entries" of recalculation while dictionnary attacks are still "few millions of entries". The salt just blocks precomputed values

    0 讨论(0)
  • 情话喂你
    2021-01-18 00:25

    Salt doesn't prevent dictionary attacks, just precalculated dictionary attacks. In particular, it protects against rainbow tables (http://en.wikipedia.org/wiki/Rainbow_table) and also ensures that cracking one user's password doesn't automatically let you crack any user who shares that password.

    The article I linked to mentions some ways to improve upon salting, incudling key strengthening (http://en.wikipedia.org/wiki/Key_strengthening).

    0 讨论(0)
 看不清?
提交回复
热议问题