how long should a password be?

Faramir faramir.cl at gmail.com
Sat May 10 17:03:30 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Pentchev escribió:
> On Tue, May 06, 2008 at 04:52:31AM -0400, Faramir wrote:
> [snip Sven Radde's explanations about the salt]

(removed the part where I say what I understood about salt)


> It seems that you are missing another important point about the salt -
> it is generated randomly each and every time something needs to be
> encrypted :)  There is no such thing as "the salt value for this user";
> every time this user wants to hash a password, the system generates
> a random salt value and hashes this particular password, just this once,
> with this value.

  Yes, that IS a very important point I was missing. And the real
dimension of making pre computed rainbow tables useless... I found this:
http://www.antsight.com/zsl/rainbowcrack/rcracktutorial.htm

  It have estimations of the time required to generate a set of tables
for passwords 1-7 characters long, with just alpha characters, and with
alpha+numeric characters. The second option (with a 666 Mhz computer,
very slow by now, but it helps to get an idea of the required time) is
more than 15 days! With some weak protected files, maybe it would be a
lot faster to use bruteforce (in other hand, once the tables are ready,
the required time to use them can be really short... but since salt
ensure the tables can't be used more than once...).

  I know people who explained salt to me don't need this info, but maybe
there are more people following this subject...

  Have a nice weekend ;)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJIJblBAAoJEIISGkVDGUEOagQH/jy4VJW+Vj5/kghfhRziHtkZ
oo3ekMAmolbxWZZN3VAXVq6LQvrQWlwbTHsTzuN87EhgEGey6UwvM3VNRzi9Lane
8/k3Y3kszNWg/SvPfvz1MCDeFnIRyr6QoxA0U/8hVI2Co+224IXVu0yNZvs0JlnJ
93xQhLBcZixk19TOAgtL4qg9BOicbLks7hF6yPK5MsaNeA47x6bRkYcy8RipEWb6
VsJx14Fqn+gUAtLChn2DTBSnL4N5bfEZh3Sv9EUmR+Jr8WpC4u2DMVTePBwyPRS6
dHBX8UhgN7jzC+L24ELLCL/2NkTYnfjezSbbz63Q/T0e+mylFFY3GCubZKOShF8=
=CZeZ
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list