口令密码 [英] Salting Passwords

问题描述

对于如何使用随机盐来防止彩虹桌攻击，我可以真正使用一些说明。它只是不点击我。

假设有一个愚蠢的应用程序需要密码正好等于或少于5个字符，字符随机盐。如果我有一个彩虹表，预先计算了所有字符组合的14个字符或更少的哈希值，那么随机盐如何提供额外的安全性？在这种情况下不会使用随机salt +密码组合的哈希值。出现在彩虹桌上吗？

我读过多处使用盐的地方会迫使黑客生成一个全新的彩虹桌;同样，每密码随机盐需要为每种盐添加一个新的彩虹表。为什么？

如果有人真的有一个彩虹表包含所有可能的字符组合的散列，那么不，帮帮我。但即使假设 Az ， az ， 0-9 作为有效字符，即62 ¹⁴ = 1.2x10 <25> 14个字符的密码。所以这就需要170亿PB的存储空间。

鉴于这种做法不可行，攻击者必须拥有一张 的小表，可能的字符串（例如字典中的所有单词，与数字混合等）。如果你添加一个盐，那么这个表变得毫无用处。如果盐是固定的（并且已知），那么攻击者可以重新计算一个新表。但是，如果每个密码都有不同的盐，那么这也不起作用。

I could really use some clarification as to how using a random salt protects against rainbow table attacks. It just isn't clicking for me.

Suppose there is a dumb application that requires passwords to be exactly five characters or less, and that salts those passswords with a nine-character random salt. If I have a rainbow table that has precomputed hashes of all character combinations 14 characters or less, how does the random salt provide any additional security? In this case won't the hashed value of the random salt + password combo. be present in the rainbow table?

I have read multiple places that using a salt would force the cracker to generate an entirely new rainbow table; similarly, a random per-password salt would require a new rainbow table for each salt. Why?

解决方案

If someone truly has a rainbow table containing the hash of all possible character combinations, then no, salting is of no help. But even assuming just A-z, a-z, 0-9 as valid characters, that's 62¹⁴ = 1.2x10²⁵ 14-character passwords. So that's 170 billion petabytes of storage required.

Given that that's not feasible, the attacker must have a much smaller table, containing only the most likely character strings (e.g. all the words in a dictionary, intermingled with numbers, etc.). If you add a salt, then this table becomes useless. If the salt is fixed (and known), then the attacker could recompute a new table. But if each password has a different salt, then that won't work either.

这篇关于口令密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！