[Catalyst] Re: Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

Andrew Rodland andrew at cleverdomain.org
Fri Apr 9 01:24:26 GMT 2010


On Thursday 08 April 2010 08:12:24 pm Toby Corkindale wrote:
> On 08/04/10 22:49, Daniel Pittman wrote:
> > ...but your lost database *also* exposed user account/password pairs,
> > which can now be tried against other services, since people usually use
> > the same weak password and username all over the place.
> 
> .. if they are using sufficiently weak passwords, such that they're
> present in a rainbow table? (Or do such rainbow tables contain every
> single possible SHA-1 value, ie. from random-looking strings that happen
> to correspond to the same sha-1 as the actual password?)

Or weak enough to brute-force. Not using salt reduces the difficulty of brute-
forcing passwords by an order of magnitude (well, some number of orders of 
magnitude depending on the number of users you have) because you can make a 
single cracking run against *all users' passwords in parallel* rather than 
attacking each account individually.

Andrew



More information about the Catalyst mailing list