On 07/24/2013 11:51 AM, Jim Henderson wrote:
On Wed, 24 Jul 2013 13:44:11 -0400, Greg Freemyer wrote:
Salting is not a new technique either. True, but it might also have been less common for performance reasons. Older hardware, slower performance - you know the story.:)
Or as well, that salting was perceived to provide little additional value because hardware was so slow, and if you were doing 200 passwords a minute, you were doing*really* well. Now with GPU-based cracking systems, you can do millions of password tests an hour without breaking a sweat, so increasing the complexity of the algorithm and introducing that salt value becomes much more significant a barrier.
It's always been about risk vs. performance. Slower systems = lower risk, and performance optimizations meant that eeking every last bit of performance out of an algorithm was important to overall system performance.
FWIW I remember SunOS 3.4 using salts in 1986 on Motorola 68010 CPU's. Was there ever a UNIX that didn't use salt? Regarding security on Windows, you have to remember that it started as a toy desktop-only operating system where security wasn't an issue. Microsoft's security posture generally lagged the environment in which their operating systems were being used. Also, whenever choices needed to be made between security and ease-of-use, security always lost. "Salt? Who needs no stinkin' salt!?" said the Borg... Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org