|
|
|
|
|
|
by timo_h
5023 days ago
|
|
|
> That's defending against a newly generated rainbow table. You lost me here. Anyway, the attacker does not need a rainbow table at all to attack against multiple hashes at the price of one. > That's repeating the first point with different words! It's defending against a pre-generated table. i.e. a rainbow table. Again, no rainbow tables at all are needed to see if different entries shares a password or not. About timing attacks, see my earlier comment in this comment chain. > You should not rely on salts for this. In fact, if your hash is exposed you should assume your salt is also exposed. I see and agree with your point about "relying on salts", but salts just happens to (as a side-effect probably) mitigate the attack. Remember, your salts are not exposed "as-is" if the attacker manages to fetch the password hash using timing. |
|
|