Thread: The Technology Vent and Rant Thread
View Single Post
Old 03-12-2025, 12:03 PM   #2655
jbjb
Somewhat clueless
jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.
 
Posts: 772
Karma: 9999999
Join Date: Nov 2008
Location: UK
Device: Kindle Oasis
Quote:
Originally Posted by ratinox View Post
An attacker only needs to identify the salt algorithm once and there are ways to simplify this.
One way is for an attacker to pre-seed the database with a "trojan" account of their own making, enabling a known plaintext attack against that hashed entry. Once they identify how the salts are generated they can use this to generate custom tables, which is orders of magnitude faster than brute force and doesn't require infinite storage.
In any sane environment the salts are generated properly randomly, using a high quality source of entropy. Not something that can be reverse engineered, unless you can spy on the source of entropy.

Quote:
It's all relative. You might not call it trivial, but I don't call it difficult. Getting the database ostensibly is the most difficult step. Once an attacker has that then it's just a matter of time until it's cracked.
It's always just a matter of time, but if that time is many lifetimes of the universe, we're probably OK.
jbjb is offline   Reply With Quote