phpass HAVE BEEN CRACKED! What is the solution? |
[eluser]Tom Schlick[/eluser]
[quote author="n0xie" date="1245215407"]This is why you randomly salt your hashes. (yes randomly, not via a encryption key I see some of the 'auth' libraries do) Even if you expose your whole user table to the outside world, an attacker would have to build an unique rainbow table for each row, making it a lot less attractive. Anyway, rainbow tables are not really the issue. It's the hashing algorithms that are at 'fault'. I suggest anyone really interested in the subject read this even if it's just for this memorable quote: Quote:There are three big differences between Provos-Mazieres and PHK’s scheme:[/quote] mine does both. it uses a random salt for each user combined with thier password and on the other end is what i call 'pepper' which is exactly like the encryption key but a differant string. this way if they steal your db they dont have the one that is in the code. which makes it impossible to access the passwords (without 500 super computers and about 10,000 years) |
Welcome Guest, Not a member yet? Register Sign In |