On 01/05/12 11:14, Charles Marcus wrote: > > Ummm... yes, he does... from tfa: > > "Salts Will Not Help You > > It’s important to note that salts are useless for preventing dictionary > attacks or brute force attacks. You can use huge salts or many salts or > hand-harvested, shade-grown, organic Himalayan pink salt. It doesn’t > affect how fast an attacker can try a candidate password, given the hash > and the salt from your database. > > Salt or no, if you’re using a general-purpose hash function designed for > speed you’re well and truly effed."
Ugh, sorry. I went to the link that someone else quoted: https://www.grc.com/haystack.htm The article you posted is correct. Salt will not prevent brute-force search, but it isn't meant to. Salt is meant to prevent the attacker from using precomputed tables of hashed passwords, called rainbow tables. To prevent brute-force search, you use a better algorithm, like the author says. >> but he's a crackpot anyway. Gibson *is* a renowned crackpot. > Why? I asked because I'm genuinely unsure (don't know enough about the > innards of the different encryption methods), and that's why I asked. > Simply saying he's a crackpot means nothing. > > Also... > >> Use a slow algorithm (others already mentioned bcrypt)to prevent >> brute-force search, > > Actually, that (bcrypt) is precisely what *the author of the article* > (the one who you are saying is a crackpot) is suggesting to use - I > guess you didn't even bother to read it or else you'd know that, so why > bother commenting? Again, sorry, I don't always know how to work my email client. > > I don't see it as an extraordinary claim, and anyone who goes around > claiming someone else is a crackpot without evidence to support the > claim is just yammering. > Your article is fine, but you should always be skeptical because for every article like the one you posted, there are 100 like Gibson's. > > <sigh> No, they don't, your claim is baseless and without merit. > > Most people have never even known what their password *is*, much less > written it down, because as I said (more than once), *I* set up their > email clients (workstations, home computers and phones) *for them*. > The password is on the phone, in plain text. If I have the phone, I can read it as easily as if it was written in sharpie.
