[Catalyst] Re: Outcome of the "Security issue with hashed
passwords in C:P:A:Password"?
Andrew Rodland
andrew at cleverdomain.org
Fri Apr 9 01:24:26 GMT 2010
On Thursday 08 April 2010 08:12:24 pm Toby Corkindale wrote:
> On 08/04/10 22:49, Daniel Pittman wrote:
> > ...but your lost database *also* exposed user account/password pairs,
> > which can now be tried against other services, since people usually use
> > the same weak password and username all over the place.
>
> .. if they are using sufficiently weak passwords, such that they're
> present in a rainbow table? (Or do such rainbow tables contain every
> single possible SHA-1 value, ie. from random-looking strings that happen
> to correspond to the same sha-1 as the actual password?)
Or weak enough to brute-force. Not using salt reduces the difficulty of brute-
forcing passwords by an order of magnitude (well, some number of orders of
magnitude depending on the number of users you have) because you can make a
single cracking run against *all users' passwords in parallel* rather than
attacking each account individually.
Andrew
More information about the Catalyst
mailing list