Salted Hashes - Dev Shed

Dev Shed Forums Sponsor:

May 7th, 2009, 12:01 AM

kg84

Registered User

Join Date: May 2009

Posts: 1

Time spent in forums: 8 m 18 sec
Reputation Power: 0

Crypto Algorithm Question - Salted Hashes

Hi All,

I think I GET hashes but trying to cement my knowledge on SALTED hashes. Hoping someone might tell me if this statement is correct, incorrect or basically correct with a few additions.

Quote:

(imagine you are hacking a plain old Unix Password file – nothing special)

Scenario 1 – no SALTED passwords.
- Usernames in Password file = 10
- Valid usable password words = 10 (i.e. must choose from 10 acceptable passwords) – e.g lemon, pear, apple, peach, watermelon, mandarin – etc : up to 10 fuits only, must use these passwords.
- The HASH tabled needed to brute force a username and password will have 10 hashed entries in it – i.e. each acceptable password word hashed.

Scenario 2- SALTED password – SALT value no secret.
- Usernames in password file = 10
- Valid usable password words = 10 (i.e. must choose from 10 acceptable passwords)
- SALT is unique for each password and stored in somewhat public location.
- The HASH tabled needed to brute force a username and password will have 100 hashed entries in it – logic – every acceptable password word times every listed SALT (of which there will be 10 – one for each password).

So the computational effort required to make a hash table to brute force a password when passwords are SALTED is exponentially harder the larger the dictionary of valid brute force passwords – and this is for a known SALT scenario.

Considerations..
- A hacker could JUST pick one user only from a user DB and this negates the SALT as for one user the HASED output based on the same dictionary input will be the same. But the hacker should hope that the users password is listed in the dictionary input table and not very complex – i.e. it has to be guessable in some fashion.
- The hacker one the other hand could take the WHOLE user DB, maybe 100 users as there is most likely at least one person there that has a lame password which will fall inside the input dictionary though the computational work to create the hashed table and then check against the password database is extreme in comparison.

Thanks!

May 7th, 2009, 09:12 AM

AstroTux

Contributing User

Join Date: Feb 2008

Posts: 510

Time spent in forums: 4 Days 6 h 20 m 43 sec
Reputation Power: 38

Hi,

Instead of computing 10 hashes (one for each password), you'd have to compute 40 hashes.

You'd have to compute:

pass
SALTpass
passSALT
SALTpassSALT

at least.

If you are doing for an arbitrary password, you still quadrupled the (very large) workload.

It would be easier to just ask.

Best regards,
AstroTux.

Viewing: Dev Shed Forums > System Administration > Security and Cryptography > Crypto Algorithm Question - Salted Hashes

« Previous Thread | Next Thread »

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts vB code is On Smilies are On [IMG] code is On HTML code is Off

View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox

Forum Jump

Free IT White Papers!

How to Present Effectively Online
This white paper offers practical and actionable advice on the key steps that any presenter should consider as they plan and execute a Webinar or online meeting.

Open Source Security Myths
Open Source Software (OSS) is computer software whose source code is available to the general public with relaxed or non-existent intellectual property restrictions (or arrangement such as the public domain), and is usually developed with the input of many contributors.

Power and Cooling Capacity Management for Data Centers
This paper describes the principles for achieving power and cooling capacity management.

Scalable, Fault-Tolerant NAS for Oracle - The Next Generation
For several years NAS has been evolving as a storage alternative for Oracle databases, and for good reason: NAS is quite often the simplest, most cost-effective storage approach for Oracle. Learn about the benefits that HP's approach to scalable NAS brings to Oracle environments in this comprehensive white paper.

Understanding Web Application Security Challenges
This white paper discusses many common threats and preventive measures for Web application security, and explains what you can do to help protect your organization.

More Free IT White Papers!