tags:

views:

502

answers:

6
+6  Q: 

Are hashed and salted passwords secure against dictionary attacks?

I understand that salts make the same password hash to different values. However, salts are usually stored in the database with the password. So let's say I am attacker, here is how I might use a dictionary attack against a salt (note in this example i don't write out 128 bit hashes or salts for the sake of brevity):

user_pw = 'blowfish'

Given:
email = '[email protected]'
hash = '1234567890'
salt = '0987654321'

function attack(){
  for each(word in dictionary)
    md5( word * salt ) == hash ? cracked_one(email, word)
}

I understand this prevents hackers from using rainbow tables...but doesn't seem to prevent dictionary attacks. I guess you could add something else to the hash algorithm, but with security we must assume that the method of attack is known.

So it seems that salting prevents hackers from figuring out which passwords are likely to be dictionary passwords (ones that multiple users have) and prevents rainbow attacks...but does not prevent dictionary attacks.

Is this a correct analysis? Any suggestions for better security?

Thanks!

+1  A: 

That's correct. If someone got the password material, a dictionary attack would be effective.

To guard against this:

  • Make sure your passwords aren't subject to dictionary attacks.
  • Make sure your password file (/etc/shadow) is readable only by root.
Jared Oberhaus  2009-07-10 19:27:22
This is perhaps an obvious questions in hindsight, but is there an option to reject passwords that are found in a dictionary? I'm not asking specifically about Unix variants, either.
Steven Sudit  2009-07-10 19:35:58
@Steven Sudit: you can use cracklib for this purpose
hayalci  2009-07-10 19:38:18
Sure, but is this integrated into the password change system?
Steven Sudit  2009-07-10 19:48:21
If pam_cracklib.so included in the PAM stack, it is integrated.
hayalci  2009-07-15 14:13:41
A: 

Your logic is sound, but in reality, with enough computing power and time, there is no protection against dictionary/brute-force attacks.

byte  2009-07-10 19:27:44
Perhaps with enough power and time, there is no protection against brute force attacks. However, using a password that's not in any dictionary is sufficient to protect you from any dictionary attack.
Steven Sudit  2009-07-10 19:34:35
good point, but training users to select secure passwords is an effort in itself
farinspace  2009-09-25 06:49:30
+9  A: 

Salt doesn't prevent dictionary attacks, just precalculated dictionary attacks. In particular, it protects against rainbow tables (http://en.wikipedia.org/wiki/Rainbow_table) and also ensures that cracking one user's password doesn't automatically let you crack any user who shares that password.

The article I linked to mentions some ways to improve upon salting, incudling key strengthening (http://en.wikipedia.org/wiki/Key_strengthening).

Steven Sudit  2009-07-10 19:28:30
it seems like the big difference is that by using a salt, the attacker would basically have to compute a new dictionary or rainbow table for each salt or user. do you know how long it takes to compute a rainbow table maybe on 1 million words? (not looking for an exact answer here)
Tony  2009-07-10 19:38:36
Not personally, but http://project-rainbowcrack.com/table.htm says you don't need to make your own: you can download theirs. Worse, the crackers are taking advantage of the NVidia Cuda GPU to accelerate their efforts.These rainbow tables are huge, even by modern standards, so multiplying them by as little as 4G (32 bits) is enough to make it entirely infeasible to even STORE every possible rainbow table, forgetting the cost of generation.
Steven Sudit  2009-07-10 19:47:49
+1  A: 

Without salt, the attacker can generate hashes for every word in his dictionnary then run the new dictionnary against your passwords list

With salt, each password is hashed with a random string so even with the prior hashed dictionnary knowledge, he still have to re-create a new hashed dictionnary containing the salt for every different salt in your database.

Just think of dictionnaries tables as a subset (small portion) of the rainbow tables. While rainbow tables can contain billions of entries, dictionnaries contain "known words", so maybe a few million entries at most.

The reason why rainbow tables fail against salt is because the re-creation process would be "billions of entries" of recalculation while dictionnary attacks are still "few millions of entries". The salt just blocks precomputed values

Eric  2009-07-10 19:28:52
I'm not sure that's exactly correct. Brute force implies a sequential or random search through the possible password space. With salt, the attacker can still apply the salt and hash to a dictionary, but they have to pick a single salt value to do it for and they're not going to have that value arbitrarily in advance, so they'll have to calculate it on the fly.
Steven Sudit  2009-07-10 19:33:25
@steven you are right, I corrected the misunderstanding
Eric  2009-07-10 19:41:00
+4  A: 

Nothing keeps an attacker from just guessing the password.

Salts just make it harder by forcing an attacker to hash the dictionary on a per-user (effectively, per-salt) basis.

To improve security, a tunable hash function is your best bet. Crank the time-per-hash up, making dictionary attacks impractical on whatever hardware your attacker is likely to have available.

Basically, read this.

Kevin Montrose  2009-07-10 19:33:12
The tunable hash approach sounds just like key strengthening. Any hash can be tuned this way by running it over and over again.
Steven Sudit  2009-07-10 19:37:14
Yep, it's key strengthening and a related technique. Good article, though, especially the part about SRP. Thanks.
Steven Sudit  2009-07-10 19:41:25
A: 

I'd suggest reading this

zebrabox  2009-07-10 19:43:57
This happens to be the same article that Kevin Montrose linked to earlier.
Steven Sudit  2009-07-10 19:51:56

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security