[eluser]wowdezign[/eluser]
The discussion seems to be past the point of which is best because of what Rick Jolly mentioned in post #16.
If I understood him correctly, he's is saying that it would be easy for an attacker to not use a rainbow table, but just test out dictionary + salt and check it against the hash value.
So if I run
Code:
if(md5(stored_salt + dictionary_word) == hashed_password){
// log dictionary word (the username)
}
That would yield results very quickly. The known element in this scenario is the dictionary word.
However, in the case of a rainbow table, the known element is the relationship between the hashed password and the potential input. By throwing the salt in the mix, even if it is known
Code:
if(rainbow_hash==stored_hash){
// log rainbow input (the username)
}
now becomes:
Code:
if(md5(rainbow_input+stored_salt) == stored_hash){
// log results
}
Two different techniques. (That is if I am following correctly).
That is why the link that that n0xie posted earlier says the slower the hash algorithm, the better.
So the user-specific salt is effective against a "Cracker" that has one goal in mind, to get all the results. And the common operation on the salt (or site wide salt) thwarts the efforts of the "Script Kiddie" that just wants to get anything he or she can.
