On 01/05/12 11:14, Charles Marcus wrote:
Ummm... yes, he does... from tfa:
"Salts Will Not Help You
It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organic Himalayan pink salt. It doesn’t affect how fast an attacker can try a candidate password, given the hash and the salt from your database.
Salt or no, if you’re using a general-purpose hash function designed for speed you’re well and truly effed."
Ugh, sorry. I went to the link that someone else quoted:
https://www.grc.com/haystack.htm
The article you posted is correct. Salt will not prevent brute-force search, but it isn't meant to. Salt is meant to prevent the attacker from using precomputed tables of hashed passwords, called rainbow tables.
To prevent brute-force search, you use a better algorithm, like the author says.
but he's a crackpot anyway.
Gibson *is* a renowned crackpot.
Why? I asked because I'm genuinely unsure (don't know enough about the innards of the different encryption methods), and that's why I asked. Simply saying he's a crackpot means nothing.
Also...
Use a slow algorithm (others already mentioned bcrypt)to prevent brute-force search,
Actually, that (bcrypt) is precisely what *the author of the article* (the one who you are saying is a crackpot) is suggesting to use - I guess you didn't even bother to read it or else you'd know that, so why bother commenting?
Again, sorry, I don't always know how to work my email client.
I don't see it as an extraordinary claim, and anyone who goes around claiming someone else is a crackpot without evidence to support the claim is just yammering.
Your article is fine, but you should always be skeptical because for every article like the one you posted, there are 100 like Gibson's.
<sigh> No, they don't, your claim is baseless and without merit.
Most people have never even known what their password *is*, much less written it down, because as I said (more than once), *I* set up their email clients (workstations, home computers and phones) *for them*.
The password is on the phone, in plain text. If I have the phone, I can read it as easily as if it was written in sharpie.