On 01/05/12 06:26, Charles Marcus wrote: > >> To prevent rainbow table attacks, salt your passwords. You can make them >> a little bit more difficult in plenty of ways, but salt is the >> /solution/. > > Go read that link (you obviously didn't yet, because he claims that > salting passwords is next to *useless*... >
He doesn't claim that, but he's a crackpot anyway. Use a slow algorithm (others already mentioned bcrypt) to prevent brute-force search, and use salt to prevent pre-computed lookups. Anyone who tells you otherwise can probably be ignored. Extraordinary claims require extraordinary evidence. >> You realize they're just walking around with a $400 post-it note with >> the password written on it, right? > > Nope, you are wrong - as I have patiently explained before. They do not > *need* to write their password down. > They have them written down on their phones. If someone gets a hold of the phone, he can just read the password off of it.
