Friday, September 14, 2007

I would like some salt with that password, please

Jeff Atwood wrote an interesting post on using "Rainbow tables", which are pre-calculated hashes of a range of possible string to brute-force crack a password database.

One of the better methods for stopping someone who has your encrypted password from deducing the unencrypted version is "salting" your passwords before storing them, meaning you concatenate your password string with a long constant string before encoding it, thus making a brute force attack impossible. (unless someone manages to get your server's code)

For example, you can add the string "FarBetterEncryptedPasswordWithThisAttachedToIt" to every 6-characters password before encrypting, forcing the hacker to compute all possible combinations for 52 characters string instead of possible combination for a 6 characters string.
While using rainbow tables would allow cracking of a 6 characters password in minutes, cracking a 52 characters long password would take years, and would require huge amounts of ram.

No comments: