|
![](/i/fill.gif) |
On Thu, 11 Aug 2011 20:47:40 +0100, Orchid XP v8 wrote:
>> You said "password crackers" (plural). You might have noticed, but
>> users aren't exactly patient about things. If it takes all these tools
>> 20 minutes to decide the password is secure enough, they'll be
>> complaining to you that their system hung when they changed their
>> password.
>
> Oh, I see.
>
> Well, yes, the average user doesn't give a fig how secure their password
> is, only how difficult it is to remember. I was thinking more of people
> who *do* care about such things.
So in other words, you'd test your passwords offline before choosing them.
>>> On the other hand, salting the password trivially defeats rainbow
>>> tables.
>>
>> Sure, but how many password systems don't use a salt value?
>
> Well, that's true enough, sadly...
>
> (I still remember having a 25-post discussion with Tom Kyte about this.
> He still fails to see why salt is useful.)
Salt is useful only if the way in which it's selected is useful. If the
salt value is predictable or easily determined, then it's not so useful.
But of course the salt value has to be predictable and easy for the
system to determine, otherwise (of course), you couldn't properly salt
the hash, and you'd end up with a mismatch on the result.
One of the more creative salt values I've seen used is the password
length. It's always predictable and easy to determine if you have the
password, but if you have the password, you don't need to determine the
salt value (duh).
Jim
Post a reply to this message
|
![](/i/fill.gif) |