I'm having some trouble understanding the purpose of a salt to a password. It's my understanding that the primary use is to hamper a rainbow table attack. However, the methods I've seen to implement this don't seem to really make the problem harder. I've seen many tutorials suggesting that the salt be used as the following: $hash = ...
Let say we have a Wordlist with words What i want to is to Genate Them to MD5 Hashes. (Have a 30gb Wordlist, i want to make All of they to MD5) I dont care which language. This say I have The Word "Test" in the wordlist So i want it in this format : test:098f6bcd4621d373cade4e832627b4f6 098f6bcd4621d373cade4e832627b4f6 = Test in...
re question non-random-salt-for-password-hashes Mr Potato Head states that the use of md5 instead of SHA-512 makes generating rainbow tables easier? I'd have thought that once your rainbow table is generated that the algorithm used is irrelevant? It would make no difference to how you use the rainbow table to check for known hashs? An...
Ok, so the whole problem with hashes is that users don't enter passwords over 15 characters long. Most only use 4-8 characters making them easy for attackers to crack with a rainbow table. Solution, use a user salt to make hash input more complex and over 50chars so that they will never be able to generate a table (way to big for string...
When we say dictionary attack, we don't really mean a real dictionary, do we? My guess is we mean a hacker's dictionary i.e. rainbow tables, right? My point is we're not talking about someone keying different passwords into the login box, we're talking about someone who has full access to your database (which has hashed passwords, not p...
Hello, As I understand it, the best practice for generating salts is to use some cryptic formula (or even magic constant) stored in your source code. I'm working on a project that we plan on releasing as open source, but the problem is that with the source comes the secret formula for generating salts, and therefore the ability to run ...
I've spent the past 2 hours reading up on salting passwords, making sure that I understood the idea. I was hoping some of you could share your knowledge on my conclusions. Say the salts on a system are 12 characters. If i'm an attacker, I don't have to create a rainbow table of all the combinations of those 12 characters with each entr...
I have heard that the only purpose of a salt is to prevent rainbow table attacks, but surely it must have more value than this? Would it not prevent a dictionary-based attack too? And what about brute-forcing, would a salt be of any use there? And could you explain why, please? Second, suppose I had an algorithm that took the microtime,...
Hello, I was wondering if should one could explain in detail how chains work in rainbow tables as though you would a complete novice but with relevance to programming. I understand that a chain is 16 bytes long. 8 bytes mark the starting point and 8 mark the end. I also understand that in the filename we have the chain length i.e. 2400...
I recently obtained the l0pht-CD for windows and tried it out on my PC and It WORKS!! http://2600hertz.wordpress.com/2009/12/22/100-windows-xp-vista-7-password-recovery/ I have also read http://kestas.kuliukas.com/RainbowTables/ I'm designing a "Login-Simulator" that stores pwd-s in a similar manner. The current implementation w...
Since chains of rainbow tables are very long, are there many different reduction functions used to reduce each hash, or are there only a handful, while using indexes to prevent merging? or something else? ...
In explanations I've read about public key cryptography, it is said that some large number is come up with by multiplying together 2 extremely large primes. Since factoring the product of large primes is almost impossibly time-consuming, you have security. This seems like a problem that could be trivially solved with rainbow tables. If ...
I've heard of people using this approach and would like to know what the implications are. I just know it's a bad idea! From what I understand, salting a password before storing the hash in a DB has the primary purpose of making every hashing algorithm unique, and thus requiring a new rainbow table for every user when trying to crack it...