Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I just read an article. And it’s said:
So I’m not saying salts are without purpose, I’m saying that they
don’t prevent dictionary or brute force attacks (which they don’t).
If you have a database dump, with hashed passwords and salts, you can start brute force only if you know crypt algorithm. If you use open source, it can be a problem. But if you change algorithm a little, it’s not a problem, until somebody know it. Am I right?
Troy Hunt recently wrote an excellent article, Our password hashing has no clothes, detailing the evolution of password hashing, including Salts.
Although Salts prevented direct comparisons with pre-hashed rainbow tables, his point is that hardware has improved to the point where applying the salt to an unhashed rainbow password and comparing salted hashes can now be done in a short time due to Moore’s law.
As Trickfire states, using a proprietary hashing algorithm is security through obscurity. If the attacker has your database, he will also likely be able to get your app and disassemble it and obtain the algorithm.