On 2012-01-05 10:28 AM, Michael Orlitzky michael@orlitzky.com wrote:
On 01/05/12 06:26, Charles Marcus wrote:
To prevent rainbow table attacks, salt your passwords. You can make them a little bit more difficult in plenty of ways, but salt is the /solution/.
Go read that link (you obviously didn't yet, because he claims that salting passwords is next to *useless*...
He doesn't claim that,
Ummm... yes, he does... from tfa:
"Salts Will Not Help You
It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organic Himalayan pink salt. It doesn’t affect how fast an attacker can try a candidate password, given the hash and the salt from your database.
Salt or no, if you’re using a general-purpose hash function designed for speed you’re well and truly effed."
but he's a crackpot anyway.
Why? I asked because I'm genuinely unsure (don't know enough about the innards of the different encryption methods), and that's why I asked. Simply saying he's a crackpot means nothing.
Also...
Use a slow algorithm (others already mentioned bcrypt)to prevent brute-force search,
Actually, that (bcrypt) is precisely what *the author of the article* (the one who you are saying is a crackpot) is suggesting to use - I guess you didn't even bother to read it or else you'd know that, so why bother commenting?
and use salt to prevent pre-computed lookups. Anyone who tells you otherwise can probably be ignored. Extraordinary claims require extraordinary evidence.
I don't see it as an extraordinary claim, and anyone who goes around claiming someone else is a crackpot without evidence to support the claim is just yammering.
You realize they're just walking around with a $400 post-it note with the password written on it, right?
Nope, you are wrong - as I have patiently explained before. They do not *need* to write their password down.
They have them written down on their phones. If someone gets a hold of the phone, he can just read the password off of it.
<sigh> No, they don't, your claim is baseless and without merit.
Most people have never even known what their password *is*, much less written it down, because as I said (more than once), *I* set up their email clients (workstations, home computers and phones) *for them*.
--
Best regards,
Charles