|
|
|
|
|
|
by rythie
6249 days ago
|
|
|
Yes, this was my original point:
"Cracking hashed passwords offline is no big deal on a single machine unless you have really strong password policy" i.e. if you allow users to set something weak as a password like a dictionary word then it doesn't matter what salting method you have, since you can try them all pretty quickly. (Probably saying "really" was pushing it a bit) I've seen salting on it's own doesn't work since 'John the Ripper' (http://www.openwall.com/john/) can go though a password file that has a different salt for each user and find some passwords in a few seconds. It doesn't have rainbow tables, it just tries a given password with all of the different salts and compares them. This is why you also need a strong password. You said:
"Allowing password security to depend on what the user enters IS silly" and now you are saying:
"Provided you required at least 6 characters from your users and a least one number then you can quite fairly combat the brute force approach." Now you are saying a salting combined with a strong password policy is the solution and not either in isolation. Which I agree with. |
|
|