Password hashing demystified


#1

[Read the post]


#2

stronger and worser

I couldn’t agree more, indeed’er.


#3

The good thing about rainbow table attacks is that they can be protected against with a sufficiently complex password.

No rainbow table is ever going to have the hash for things like %h63dg$W!dfa in it.

Of course, if all of your passwords look like that, you need to have either an exceptionally good memory, a written down list of passwords, or password management software.


#4

And yet the biggest problem remains the thousands of websites, from banks and merchants thst should know better on down to mom and pop forums, that are still storing their passwords in the clear, or otherwise not following best practices.


#5

If the salt changes per user, then you have to generate a new rainbow table per user. This means that if you have a targeted attack against a single user, and can find the salt used for that user, then you can make a new rainbow table for that user and you may be able to crack the password if the user is using a password in the table.

But the odds that any single user are using a password in the table are low, unless you know you are dealing with someone who is likely to have a common password.

This is completely different from having a dump of all the hashes of all the users, which were all generated using the same salt. In that case, you can simply generate one rainbow table for the salt, and compare your list with their list. Out of tens of thousands of users, you are likely to find a lot who are using passwords in your list, and so you can breach those accounts.


#6

“let me write an ostensibly tech article but for no reason mention my novella”


#7

a 4 digit pin, a couple of funny characters in random spots and a random word or two are also complex enough to get around rainbow tables. easy to remember too.


#8

Well, yes, on an individual basis. However, if you tell a large number of people “Make your password a 4-digit pin, then a symbol, then a random word, then another symbol, and, finally another random word,” then guess how people are going to start generating their random tables?


#9

it would make them prohibitive to generate though, especially with a proper salt. you could also in theory generate a rainbow table for every conceivable ASCII character in every combination.


#10

Well, yes, in theory they’d be hard to break, but there’s still going to be the people who choose 1234!password@secret, and their passwords would be compromised almost instantly.


#11

No reason to make an argument ad absurdum. No one is forcing people to make, specifically, “a 4-digit pin, then a symbol, then a random word, then another symbol, and, finally another random word.” Exactly zero people in the universe are going to have “1234!password@secret” as their password, because the kind of people who think to have those features aren’t going to use that password.

The suggestion to have “4 digit pin and a random word or two” is completely reasonable and sensible, because no one is going to codify it in such a silly way.


#12

yes, but with a proper salt per user (which is standard procedure these days) you’d need to create a new table for each user, and what are the chances that any single user you’d try and crack would be vulnerable to that? it would be expensive enough for a single user, ridiculous to brute force an entire system. it also requires access to the db to get the salt.


#13

You may be right…

But at least someone has already used “correcthorsebatterystaple” as their password.

https://rehmann.co/projects/10mil/

People are going to make their password as easy to remember as possible, and will generally put the things you suggest in the order you suggest them.


#14

Now the one time I tried to properly understand rainbow tables my brains tried to escape out my ears, but I was left with the distinct impression that they were quite a bit more than just lists of precomputed hashes.

Or am I misremembering?


#15

This topic was automatically closed after 5 days. New replies are no longer allowed.