On Wed, 24 Jul 2013 09:07:49 -0400, Greg Freemyer wrote:
On Wed, Jul 24, 2013 at 12:48 AM, Jim Henderson
wrote: On Tue, 23 Jul 2013 23:14:32 -0400, Greg Freemyer wrote:
If people use a relatively short password, a rainbow attack is not significantly slowed down by strong encryption, no matter how strong it is.
It is if you salt the password, which eDirectory has done for years.
Rainbow tables are rendered completely useless by salting the password with an effective algorithm.
Jim,
I should know the answer to this, but if that is true why can so many systems be attacked via rainbow tables?
My multiple choice answers (guesses):
- They didn't setup a salt value at all
- Often in mass produced software like MS Windows, a single salt value is used for the entire install base, so the bad guys can build a rainbow table on one box, but use it millions of places.
- Other
I don't know for certain, but I know not all crypto systems use salt values. It does increase the complexity of the algorithm, so I'd guess it's a trade-off of different features. I can tell you that for something like BitLocker (which is full disk encryption that comes with certain releases of Windows Vista, and all editions of Windows 7/8), they do use salt in the encryption algorithm. I was recently working on a project for a client where that was germane to the work I was doing. To my knowledge, Windows doesn't use a single salt value across all installations (that would kinda defeat the purpose, and while I know that liking Windows isn't a popular thing in Linux communities, perpetrating false information about Windows also isn't a goo thing to do, either. We can compare on the merits without making stuff up. ;) ) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org