Re: [News] MD5 / SHA-1 Encryptions Weakened
- From: "Igor Tandetnik" <itandetnik@xxxxxxxx>
- Date: Fri, 11 Nov 2005 08:41:34 -0500
"Mark Randall" <mark[__OKTHISISFAKE_]yr@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:uA7e99r5FHA.3588@xxxxxxxxxxxxxxxxxxxx
> Bad news for application developers (hence this post).
>
> After several months of processing, MD5 and SHA1 lookup tables have
> been generated upto 14 characters in length. See
> http://www.theregister.co.uk/2005/11/10/password_hashes/
>
> The related site:
> http://www.rainbowcrack-online.com/?x=pricing
Note that this technique is very easily thwarted by salting your hashes.
Most modern systems dealing with passwords salt them already, and those
that don't should run, not walk, and implement salting.
Salting is a very simple technique. You generate a random number (called
salt value or simply salt), append it to the password and hash them
together. You then store the hash together with the salt. To verify the
password, you append the stored salt value to it, hash them, and compare
with the hash you calculated when the password was created.
The reason it works against rainbow table attack is that now the
attacker has to precompute hashes for every combination of password and
salt, not just for every password. With large enough salt values (64-bit
is typical) the task becomes infeasible. This can be further aided by
applying stretching, which effectively makes passwords longer.
--
With best wishes,
Igor Tandetnik
With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going to
land, and it could be dangerous sitting under them as they fly
overhead. -- RFC 1925
.
- Prev by Date: Re: [News] MD5 / SHA-1 Encryptions Weakened
- Next by Date: delete objects of classes declared in a DLL
- Previous by thread: Re: [News] MD5 / SHA-1 Encryptions Weakened
- Next by thread: delete objects of classes declared in a DLL
- Index(es):
Relevant Pages
|
