[sf-lug] For SysAdmins upgrading of the hashing algorithm
david at sterryit.com
Wed Jun 13 20:07:37 PDT 2012
On 06/13/2012 05:39 PM, Rick Moen wrote:
> As a fine point, Steve Bibayoff, that is also why there's no real gain
> from using per-account individual salts within a system: By salting the
> hashes for the system as a whole, you are already defeating the
> attackers' ability to precalculate a mammoth table.
I would say there is a gain and it will become more relevant over time
to have dynamic salt. In the case where one salt is used for all users,
the attacker must only generate a single new rainbow table. This is
something that is speeding up with the use of GPUs and FPGAs to
calculate hashes. Using a dynamic salt means it just doesn't make sense
to create a rainbow table any more.
To further strengthen password storage, some systems use many rounds of
hashing. This means each try, even knowing the salt, will require as
many rounds as the developer chooses. Furthermore, the number of rounds
can be seamlessly increased as hashing hardware gets faster.
I've taken a personal interest in this as I've been involved with
Bitcoin ventures where there is a) direct financial gain for an attacker
who cracks a password and b) growing knowledge about building hardware
to calculate hashes quickly.
More information about the sf-lug