Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> If you use the same salt for all passwords then I can easily create a rainbow table consisting of "keyword" + salt hashes and doing so I can crack multiple passwords.

That's not a rainbow table, a rainbow table is a list of precomputed hashes (which you'd just do once on a cluster you pay — of buy from a guy who did — and then store/stash)

But you're brute-forcing the whole table (you can look for matches after each computation) instead of having to individually brute-force each password. But you wouldn't keep the forced salted hashes around since there's no need for them once you've tested the leaked hashes.



Yeah I should have stuck that in quotes. I was trying to keep the explanation as simple as possible.

You are right of course there is no need to keep hashes about once they have been compared against the db.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: