[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Salted passwords
- To: Valdis.Kletnieks@xxxxxx
- Subject: Re: [Full-disclosure] Salted passwords
- From: T Biehn <tbiehn@xxxxxxxxx>
- Date: Mon, 10 Aug 2009 16:50:32 -0400
Valdis,
I don't have control over the set. Sorry I wasn't more explicit about
this. Although, it should have been obvious that the solution needed
to satisfy the conditions:
Data to one way hash.
The set has 9,999,999,999 members.
Thanks for your input sweetie!
-Travis
On Mon, Aug 10, 2009 at 4:26 PM, <Valdis.Kletnieks@xxxxxx> wrote:
> On Sun, 09 Aug 2009 20:14:57 EDT, T Biehn said:
>> Soliciting random suggestions.
>> Lets say I have data to one-way-hash.
>> The set has 9,999,999,999 members.
>
> Actually, if you're using a 10-digit decimal field, you probably have 10**10
> possible members - all-zeros counts too (unless there's *other* reasons zero
> isn't a legal ID). It's those little off-by-one errors that tend to get you.
> ;)
>
>> It's relatively easy to brute force this, or create precomp tables.
>
> That's because you only have 10M billion members to brute force against.
>
>> So you add a salt to each.
>
> A better idea cryptographically would be to fix the 10**10 member limit, so
> that the set *could* have a much higher possible number of members. Even
> staying at 10 characters, but allowing [A-Za-z0-9] (62 possible chars) raises
> your space to 62**10 or about 8.3*10**17 (or almost 10M times the difficuly).
> That's why most symmetric crypto algorithms use at least 64-bit or even larger
> keys, and even larger for RSA and similar public-key systems.
>
>
--
pgp http://pastebin.com/f6fd606da pgp
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/