Thread: The Technology Vent and Rant Thread
View Single Post
Old 03-12-2025, 01:12 PM   #2668
jbjb
Somewhat clueless
jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.jbjb ought to be getting tired of karma fortunes by now.
 
Posts: 779
Karma: 10535853
Join Date: Nov 2008
Location: UK
Device: Kindle Oasis
Quote:
Originally Posted by ratinox View Post
Unix password files are well-documented, but any given site like mobileread can do things differently, so an attacker would need to identify that in order to generate usable hash tables. Or to identify a more efficient attack if one exists.
Sorry for reopening this, but it's clear I haven't made my point well.

The point is that:
  • generating the rainbow table for a particular salt is about the same effort as brute-forcing one password
  • hence, the point of rainbow tables is that the table can be used against multiple passwords if they use the same salt (i.e., in the real world, if they're unsalted)
  • whether you know the salt through reverse-engineering the salt-generating algorithm or from reading it from a hacked file, you still need a table specific to that salt
  • based on all the above, for a properly salted system you're basically back to brute-forcing each password
Last edited by jbjb; 03-12-2025 at 01:15 PM.
jbjb is offline   Reply With Quote