security - The necessity of hiding the salt for a hash -

-

at work have 2 competing theories salts. products work on use user name or phone number salt hash. different each user readily available us. other product randomly generates salt each user , changes each time user changes password. salt encrypted in database.

my question if second approach necessary? can understand purely theoretical perspective more secure first approach, practicality point of view. right authenticate user, salt must unencrypted , applied login information.

after thinking it, don't see real security gain approach. changing salt account account, still makes extremely difficult attempt brute force hashing algorithm if attacker aware of how determine each account. going on assumption passwords sufficiently strong. (obviously finding correct hash set of passwords 2 digits easier finding correct hash of passwords 8 digits). incorrect in logic, or there missing?

edit: okay here's reason why think it's moot encrypt salt. (lemme know if i'm on right track).

for following explanation, we'll assume passwords 8 characters , salt 5 , passwords comprised of lowercase letters (it makes math easier).

having different salt each entry means can't use same rainbow table (actually technically if had 1 of sufficient size, let's ignore moment). real key salt understand, because crack every account have reinvent wheel speak each one. if know how apply correct salt password generate hash, i'd because salt extends length/complexity of hashed phrase. cutting number of possible combinations need generate "know" have password + salt 13^26 8^26 because know salt is. makes easier, still hard.

so onto encrypting salt. if know salt encrypted, wouldn't try , decrypt (assuming know has sufficient level of encryption) first. ignore it. instead of trying figure out how decrypt it, going previous example generate larger rainbow table containing keys 13^26. not knowing salt slow me down, don't think add monumental task of trying crack salt encryption first. that's why don't think it's worth it. thoughts?

here link describing how long passwords hold under brute force attack: http://www.lockdown.co.uk/?pg=combi

the answer here ask you're trying protect from? if has access database, have access encrypted salts, , have access code well. decrypt encrypted salts? if encryption pretty useless anyway. salt there make isn't possible form rainbow table crack entire password database in 1 go if gets broken into. point of view, long each salt unique there no difference, brute force attack required salts or encrypted salts each password individually.


Comments

Post a Comment

Popular posts from this blog

c++ - How do I get a multi line tooltip in MFC -

-
right now, have tool tip pops when hover on edit box. problem tool tip contains multiple error messages , in 1 long line. need have each error message on own line. error messages contained in cstring new line seperating them. my existing code below. bool ontooltiptext(uint, nmhdr* pnmhdr, lresult* presult) { assert(pnmhdr->code == ttn_needtexta || pnmhdr->code == ttn_needtextw); // need handle both ansi , unicode versions of message tooltiptexta* pttta = (tooltiptexta*)pnmhdr; tooltiptextw* ptttw = (tooltiptextw*)pnmhdr; // tchar szfulltext[256]; cstring strtiptext=_t(""); uint nid = pnmhdr->idfrom; if (pnmhdr->code == ttn_needtexta && (pttta->uflags & ttf_idishwnd) || pnmhdr->code == ttn_needtextw && (ptttw->uflags & ttf_idishwnd)) { // idfrom hwnd of tool nid = ::getdlgctrlid((hwnd)nid); } //m_errprojaccel[ch] contains 1 or more error messages each...
Read more

asp.net - In javascript how to find the height and width -

-
i having .aspx , masterpage page. in masterpage loading aspx page . in aspx page design using generating table structure using code-behind server in javascript how find height , width . regards, kumar if you're looking table height , width, should it var tbl = document.getelementbyid('tbldemo'); alert(tbl.offsetwidth + '\n' + tbl.offsetheight);
Read more

c# - DataTable to EnumerableRowCollection -

-
i have datatable according client requirement can contain invalid date "00/00/1999",null,empty string.(typed datset) when collect them enumerables wish convert of invalid forms empty string. (i.e) enumerablerowcollection<datarow> query = order in _table.asenumerable() select new { orderdate= string.isnullorempty(convert.tostring(order.field<datetime>("orderdate")) || (how check date invalid date) ? string.empty : order.field<datetime>("orderdate") } how check whether date valid date or not? datetime.tryparse...like given current code: datetime date; enumerablerowcollection<datarow> query = order in _table.asenumerable() select new { orderdate= string.isnullorempty(convert.tostring(order.field<datetime>("orderdate")) || !datetime.tryparse(convert.tostring(order.field<datetime...
Read more