[rythie]

So basically the algorithm is in the code, so anyone who has ever seen the code knows the algorithm, which you can't change after you have actual users. Any ex-employee could take a copy of the verify function and a dump of the database and hack it home. Similarly a cracker who gets a DB dump of the passwords will probably get your code too.

Running sha1() in PHP on each of the 98569 words in /usr/share/dict/words takes 1 second on my laptop. Appending all of the numbers 1-100 to each of those, not surprisingly ups the time to about 1m40s. You'll probably get quite a lot of users with passwords like that.

[ErrantX]

Yes but that's NOT the issue were discussing here is it. You take steps to hide the algorithm from as many people as possible etc. It's not that hard to do.

Finally in a RL scenario I would use the password itself to generate the rotation schema. Provided you required at least 6 characters from your users and a least one number then you can quite fairly combat the brute force approach. The way to do this is to generate a completely random salt and then use the password to create a scheme to rotate the salt into the password. Then hash the result and use the known pattern & the password to generate another scheme to rotate the salt into the hash.

The advantage of this is that even if you have a the hash you cant just pull the hash out of the string and append the salt onto every password in your list & then hash it. You have to reverse engineer the salted hash for EVERY password substantially adding to your decryption time. Because the salt is also pseudo-randomly generated it also means that you have to attack every password in this way - you cant pre-generate all the possible hashes and test them because I have basically ignored what the user has entered and increased the keyspace up to around 8e+24. Even the brute force mechanism has a hurdle to overcome because the keyspace assuming an 8 char password is 2821109907456. (there are yet other steps to take to overcome the dictionary style attack)

Add in the requirement for the user to enter at least 8 characters at least one of which is a number and your making it a VERY bad day for a would be cracker :)

[rythie]

Yes, this was my original point: "Cracking hashed passwords offline is no big deal on a single machine unless you have really strong password policy"

i.e. if you allow users to set something weak as a password like a dictionary word then it doesn't matter what salting method you have, since you can try them all pretty quickly. (Probably saying "really" was pushing it a bit)

I've seen salting on it's own doesn't work since 'John the Ripper' (http://www.openwall.com/john/) can go though a password file that has a different salt for each user and find some passwords in a few seconds. It doesn't have rainbow tables, it just tries a given password with all of the different salts and compares them. This is why you also need a strong password.

You said: "Allowing password security to depend on what the user enters IS silly"

and now you are saying: "Provided you required at least 6 characters from your users and a least one number then you can quite fairly combat the brute force approach."

Now you are saying a salting combined with a strong password policy is the solution and not either in isolation. Which I agree with.