> If we have a deterministic (1:1) transform t() of the password, then > hash(t(password)) is exactly some hash'(password). We've redefined the > hash function, and all we have to do is to create a new rainbow table > for that function. That is, you can consider any 1:1 pre-hash > transform of the password to be part of the hash function itself. > Sure, if hash() was md5(), then hash'() will be something else, and > you won't be able to take advantage of public rainbow tables. But you > can create your own rainbow table for hash'. >
I think here is where the source of confusion is, for the record I am not talking a brute force known hash attack (which incidentally the "random" salt used in your approach become "known" anyway). If I read you correctly, you are saying that all you need to do is generate a custom rainbow table with hash(t(password)) and you'll be set, what I am saying is that you will have to generate that custom rainbow table for *each* record you'd like to crack, now my point is that your approach is exactly the same as the one I said earlier, by adding a pseudo-random number as the salt, and that salt is 100% discoverable (deterministic) you are just playing the same game but with a different ball. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
