On Nov 27, 2010, at 10:29 PM, Tom X. Tobin wrote: > The point is that I'm *not* assuming hardware of equivalent speed. > I'm assuming that a worst-case attacker has hardware significantly > faster than your webserver at their disposal, so I was curious if the > purported benefit still held in that case. Maybe it does; I don't > know.
Well, yes, it does, for exactly the reason described: The application has to encode exactly one password; the attacker has to try billions in order to brute-force one. If you assume, say, one password per week is the slowest practical attack, and if it takes 10ms to hash one password, the attacker's hardware has to be about 46,654 times more powerful than your web server. > I'm not arguing that a salt helps against brute-forcing a *single* > password (it doesn't), but it does in fact help against someone trying > to brute-force your entire password database (or any subset of more > than one password), since each password with a different salt lies > within an entirely different space that must be brute-forced > separately from the rest. I'm not sure what you mean by the "space"; I think you are thinking of a rainbow dictionary attack, where the hashes are precomputed; a salt does indeed help (and probably blocks) that kind of attack. In the case of a straight brute-force attack or a standard dictionary attack without precomputing, the only benefit of the salt is that it makes computing the candidate hash a bit longer, based on the length of the salt. It's a trivial amount of time. Remember, it's extremely inexpensive to brute-force a single MD5 or SHA1 hash, and the salt does not make it appreciably more expensive. If a CUDA application can brute force 700 million MD5s per second, doubling the length is not really going to make it any more secure. -- -- Christophe Pettus x...@thebuild.com -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
