Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>The salt helps protect against an attacker using a precomputation or dictionary attack. When a salt is used, the attacker needs to create a separate dictionary for every salt value. However, if the salt isn't random you give the attacker an advantage, because they can create dictionaries that are more likely than others. For example, they could create a dictionary using a salt of jsmith (or hash of jsmith). For this reason, it is generally a good idea for the salt to be random. </p> <p>Comparing a precomputation attack against a hash(username) salt and a random salt: let's say for example the attacker decides to create dictionaries for the most common 1000 usernames and, say, half a dozen different hash algs; that's 6000 salts and so 6000 dictionaries. If a random 32 bit salt is used that's 2^32 or circa 4.2 billion dictionaries. So when the salt space is dramatically reduced (like it is by using hash(username)) precomputed attacks become much more feasible</p>
    singulars
    1. This table or related slice is empty.
    1. POCan per-user randomized salts be replaced with iterative hashing?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USbignum
    1. USbignum
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POCan per-user randomized salts be replaced with iterative hashing?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COIt seems a little crazy that an attacker would generate dictionaries that assume salts of hash(username), especially (a) given the variety of hash functions and block sizes in the wild, and (b) the fact that an attacker wouldn't be able to infer the hash used to generate the salt from the salted password they have available to them.
      singulars
      1. PO
      1. UScemerick
    2. CO@Chas: Read enough advisories, you will probably see people fall down with this by making a small app, turning it into a high profile app, and they don't re-check their assumptions. But you're right in that there's a point where if you're a big enough target, they'll find a cheaper attack than this. Like the phishing. The good news is that it's not very hard to make authentication not be your tall tent pole. Use salts (plural), use cryptographic hashes, and use SSL for login pages (salted password files are particularly sensitive to Man in the Middle attacks. *cue Rook to detail how*)
      singulars
      1. PO
      1. USJason
    3. CO@Jason: Yup, we hit all three (our entire site shall be run over SSL). I've now long since just tossed in large, random, per-user, regenerated-on-each-pw-change salts (co-located with the passwords, sorry Rook ;-), as it's easy enough, and I don't mind being a little more paranoid to match up with what is considered best practices. Unfortunately, it doesn't look like I'm going to find clarity w.r.t. the original question. Thanks for the tips otherwise, tho. :-)
      singulars
      1. PO
      1. UScemerick
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload