[Catalyst] Re: Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

Daniel Pittman daniel at rimspace.net
Fri Apr 9 05:57:17 GMT 2010

Andrew Rodland <andrew at cleverdomain.org> writes:
> On Thursday 08 April 2010 08:12:24 pm Toby Corkindale wrote:
>> On 08/04/10 22:49, Daniel Pittman wrote:
>> > ...but your lost database *also* exposed user account/password pairs,
>> > which can now be tried against other services, since people usually use
>> > the same weak password and username all over the place.
>> .. if they are using sufficiently weak passwords, such that they're
>> present in a rainbow table? (Or do such rainbow tables contain every
>> single possible SHA-1 value, ie. from random-looking strings that happen
>> to correspond to the same sha-1 as the actual password?)

The table of every possible 8-byte values is ~ 197MB, and only about 2.3PB for
all possible 12-byte values.  If you eliminate characters that are not going
to be present in passwords (since that is 12! permutations * 256 byte-values *
20 bytes of SHA1) you increase length for the same rainbow table.

So, yes, those contain everything.  You can even download pregenerated rainbow
tables for some lengths, or pay commercial companies for use of theirs, if you

> Or weak enough to brute-force. Not using salt reduces the difficulty of
> brute- forcing passwords by an order of magnitude (well, some number of
> orders of magnitude depending on the number of users you have) because you
> can make a single cracking run against *all users' passwords in parallel*
> rather than attacking each account individually.

*nod*  Also.
✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

More information about the Catalyst mailing list