On Sun, Nov 28, 2010 at 12:11 PM, Christophe Pettus <x...@thebuild.com> wrote: >> I'm not arguing that a salt helps against brute-forcing a *single* >> password (it doesn't), but it does in fact help against someone trying >> to brute-force your entire password database (or any subset of more >> than one password), since each password with a different salt lies >> within an entirely different space that must be brute-forced >> separately from the rest. > > I'm not sure what you mean by the "space"; I think you are thinking of a > rainbow dictionary attack, where the hashes are precomputed; a salt does > indeed help (and probably blocks) that kind of attack. In the case of a > straight brute-force attack or a standard dictionary attack without > precomputing, the only benefit of the salt is that it makes computing the > candidate hash a bit longer, based on the length of the salt. It's a trivial > amount of time. > > Remember, it's extremely inexpensive to brute-force a single MD5 or SHA1 > hash, and the salt does not make it appreciably more expensive. If a CUDA > application can brute force 700 million MD5s per second, doubling the length > is not really going to make it any more secure.
No, I'm not thinking of rainbow tables. The key word here is *single*. As I said before, a salt *does* help against an attacker trying to brute-force multiple passwords from your database, since he can't simply test each brute-force result against all your passwords at once; he has to start all over from scratch for every single password that has a different salt. If he only cares about one *particular* account, the salt doesn't help, no. But regardless, I apologize for derailing this conversation so far off. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
