Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Is there a case for encryption/rotation before hashing
Is there a case for encryption/rotation before hashing
  • El Forum
    Guest
  •  
#1
03-19-2009, 09:19 AM

[eluser]richthegeek[/eluser]
Hi,

I am wondering if rotating or encrypting the characters in a password before hashing it for storage would provide any storage benefit.

My reasoning is thus:
Ignoring the weirdos who use a 22-long numeric password, A standard password contains between 5-10 characters, mostly within the set [A-Z0-9_-]. The use of rainbow tables to break hashes relies somewhat on the idea that passwords contain only a small set of possible characters, and usually that they are in the dictionary.

If we rotate the characters in the password field by an arbitrary amount, we are likely to force the password to include a lot more special and punctuation characters than before.

To see some rotated strings, http://richardlyon.co.uk/rotpass.php

Numbers above 30 basically garuantee the password contains lots of chars.






Anyway, any cryptological reasons this would or wouldn't make a password more secure?
  • El Forum
    Guest
  •  
#2
03-19-2009, 09:37 AM

[eluser]drewbee[/eluser]
For me, I salt the passwords with a 128 bit string of random, off the wall characters, then append their password to it. Confusedhrug:

It's rather moot in the fact that if the user is using the front end of the site to access accounts, their trial attempts are getting the salt as well. The salt is far more useful in terms of if the database is compromised. Rainbows would have a hard time getting even the simplest of passwords cracked.

I believe this is the case for the rotation as well. If we are applying the same rules to the password from the front end, the hacker still has the same matching rules. Unless I am miss understanding something here.

This is why it is essential to only allow users to attempt to enter a password so many times within a time frame before denying access for x amount of time. It really slows down the rainbow table / brute force attack attempts.
  • El Forum
    Guest
  •  
#3
03-19-2009, 09:57 AM

[eluser]jedd[/eluser]
I thought rainbow tables were only useful if the ne'er-do-well had access to your md5 (or similar) hashes? Any front-based attack will have to use whatever public-facing tools you provide. As drewbee points out, there are other security measures you can implement to thwart that style of attack.

OTOH, defence in depth suggests you should make it as difficult as possible. (Though I can't see any measurable difference compared to salting.)




Theme © iAndrew 2016 - Forum software by © MyBB