From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: scripted iptables-restore
Date: Mon, 14 Oct 2013 22:31:17 +0200 [thread overview]
Message-ID: <525C5495.70804@gmail.com> (raw)
In-Reply-To: <525C434C.8040905@orlitzky.com>
On 14/10/2013 21:17, Michael Orlitzky wrote:
> On 10/14/2013 02:49 PM, Martin Vaeth wrote:
>>
>>> Hiding the salt would just be security through obscurity.
>>
>> And yet it is stupid if you do not do it and give away a
>> huge constant factor for no advantage.
>>
>
> (I'll just agree to disagree about the rest.)
>
> Keeping the salt secret makes your application more complex. Rather than
> "SELECT hash, salt FROM users WHERE...", you now have to "SELECT hash
> FROM users WHERE..." and then pull the salt from somewhere else. (Where?
> The filesystem? Do you encrypt that? How?)
>
> What's stupid is going to all that effort for a 2x improvement when you
> could twiddle a bit and get a 340282366920938463463374607431768211456x
> improvement.
>
>
Keep in mind the actual original purpose of a salted hash.
If two users happen to use the same password[1], the hashes are the same
and this is revealed to anyone who can read /etc/passwd[2] i.e everyone.
Salt obscures this 1-to-1 mapping and does it in a way that it is not
computationally worth while to try get around it for the general
case[3]. It's not quite the same thing as security by obscurity - that
is hiding something in a place you think no-one will think of looking
but usually turns out to be viable to try and guess. Salt works because
brute force now doesn't need just one expensive calculation, it needs
many thousands of expensive calculations.
If the actual problem is that salt is inadequate, the solution is not to
try and hide it, but to use a more complex hashing algorithm with larger
salt. It's a race between white and black hats - they build bigger and
better rainbow tables, we implement bigger and better hashes. The
constraint is how much cpu grunt is available for purchase at a
realistic cost.
[1] This is not uncommon. The domain size of all possible passwords for
a implementation is very very large. Human psychology says that the
actual domain size of passwords people will pick is a tiny fraction of
the whole. Hence salt.
[2] Nowadays we use shadow, but the development of salt pre-dates shadow
--
Alan McKinnon
alan.mckinnon@gmail.com
next prev parent reply other threads:[~2013-10-14 20:31 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-03 19:27 [gentoo-user] Where to put advanced routing configuration? Grant Edwards
2013-10-03 20:28 ` Kerin Millar
2013-10-04 16:25 ` [gentoo-user] " Grant Edwards
2013-10-04 21:58 ` [gentoo-user] " Michael Orlitzky
2013-10-04 22:33 ` Dragostin Yanev
2013-10-11 7:18 ` [gentoo-user] " Martin Vaeth
2013-10-13 10:08 ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Martin Vaeth
2013-10-13 14:14 ` [gentoo-user] scripted iptables-restore Michael Orlitzky
2013-10-13 15:19 ` [gentoo-user] " Martin Vaeth
2013-10-13 16:37 ` Michael Orlitzky
2013-10-13 20:07 ` Martin Vaeth
2013-10-13 21:45 ` William Kenworthy
2013-10-14 12:08 ` Martin Vaeth
2013-10-14 13:27 ` William Kenworthy
2013-10-13 22:02 ` Michael Orlitzky
2013-10-14 11:49 ` Martin Vaeth
2013-10-14 14:26 ` Michael Orlitzky
2013-10-14 18:49 ` Martin Vaeth
2013-10-14 19:17 ` Michael Orlitzky
2013-10-14 20:31 ` Alan McKinnon [this message]
2013-10-15 1:06 ` Michael Orlitzky
2013-10-14 18:23 ` Tanstaafl
2013-10-14 18:52 ` Martin Vaeth
2013-10-14 19:40 ` Tanstaafl
2013-10-14 20:45 ` Alan McKinnon
2013-10-16 23:21 ` Walter Dnes
2013-10-17 6:59 ` Alan McKinnon
2013-10-18 2:30 ` Walter Dnes
2013-10-18 4:44 ` Alan McKinnon
2013-10-18 10:23 ` Tanstaafl
2013-10-18 11:19 ` Alan McKinnon
2013-10-18 14:05 ` Tanstaafl
2013-10-18 14:33 ` Alan McKinnon
2013-10-14 5:54 ` [gentoo-user] " Pandu Poluan
2013-10-14 5:57 ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Pandu Poluan
2013-10-14 11:52 ` [gentoo-user] " Martin Vaeth
2013-10-13 10:26 ` [gentoo-user] Where to put advanced routing configuration? shawn wilson
2013-10-13 13:53 ` Michael Orlitzky
2013-10-13 13:57 ` [gentoo-user] " Martin Vaeth
2013-10-05 21:01 ` [gentoo-user] " thegeezer
2013-10-06 16:16 ` [gentoo-user] " Grant Edwards
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=525C5495.70804@gmail.com \
--to=alan.mckinnon@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox