Comments (2)
Yeah someone has got in somehow and I can get all the right info but no way to use it????
from crackstation.
This is a nice example of a weakness with that simple client-side salt style that is often mentioned, thanks 👍
I'd say that the length still makes it unlikely to be pre-computed, especially when for most domains the username + domain name isn't likely to form a potential dictionary word (which we're also arguing here has a .com
treated as a word, and with PassWord
using pattern variations with the casing there).
Bob should probably not be surprised if his password did get compromised, but such an attack is more likely to be carried out with the hashed DB password already available to the attacker. The salt being predictable is a given and an attack against Bob would quickly reveal his password when iterating through common poor passwords which is low effort.
What additionally protects bob here is a slow hash being in the mix. The same supposed rainbow table with this result needs to match the slow hash algo chosen with the same parameters. You can add in a pepper that's randomly generated once for your service and accessed via ENV var afaik, mixing this in server-side to get the DB hash lookup makes the issue moot? (unless the attacker has access to that as well, but for whatever reason does not have enough access to the server to perform an active attack by modifying JS payload to just send passwords or whatever they want to accomplish)
If it's still worrying you, you could do as suggested and hash the salt. Only useful when it's not a common pattern, an attacker making these tables could just as easily generate username
+ domain
+ password
as components. In that same sense, you can add jibberish into the salt, doesn't matter if public and static, it'd just be padding the length against the attack you're concerned about.
Rainbow tables don't do well against storage requirements (EDIT: Rainbow tables can be more storage efficient, I mixed them up with plain lookup tables, storage still gets fairly demanding for the most part though), 4 billion hashes (2^32) is at least 137GB? 2^55 * 32B= >1 EB
1 ExaByte, 1 million TeraBytes, that's 8,388,608 times (2^23) more hashes. EFF has a short dictionary list of 1296 words (6^4, roll 4 six sided dice to get the index of a word in the list), 5 of those words is log2((6^4)^5) = ~51.7
(51.7 bits / 2^51.7), 117 PB (117,000 TeraBytes). Their larger wordlist is 7,776 in size and can achieve the same size in just 4 words log2((6^5)^4)= ~51.7
. These are without transforming each word into different variations (changing case, substituting letters with numbers, or delimiters between words like spaces, dots or dashes if any).
Just let that sink in, a rainbow table lookup table needs to prioritize password combinations that are going to be statistically more likely to be successful matches, otherwise as the length of the input pattern/rules increases, the size of the table gets very expensive and less likely to be commonly available (probably behind a pay wall or private community server/cluster). Someone might specifically generate a table for such a pattern though if you had 1 million bobby.com
like "words" combined with 1 million common passwords, you'd get log2((2^20) * (2^20)) = 40
which is 2^40 * 32B = ~35TB
. If you were able to process all those passwords through a slow hash at a rate of 1 million / sec (expensive), it'd take: ((2^40) / 1000000) / (60*60*24) = ~12.7
roughly 13 days (bcrypt work factor of 12 on an nvidia 3080 GPU only manages around 600 hashes per sec IIRC which'd make that about 58 years instead).
domain
could be sourced from a list of Top X domains or popular words (all the same in a dictionary / pattern source for generating a rainbow table) coupled with a 2nd "word", the TLD (.com
, .net
, .org
) or just .com
to reduce the overhead. Lower effort is to just generate with common username
s that can be filtered in advance to pair well with a certain length of words as the domains (could even automate that somewhat for worthwhile domains), but effectively username
+ domain
== word/name
+ .com
shouldn't be that difficult of a rule to consider by whomever is creating such a rainbow table.
from crackstation.
Related Issues (11)
- hashing-security - Password Reset token should be hashed in DB HOT 1
- Get rid of link to @PlzCrack Twitter HOT 1
- Mention that password reset tokens should be hashed just like passwords HOT 1
- Switch to hCaptcha
- Hashing Security - Timing attack section clarification HOT 4
- License for code snippets
- path = src/source/password-hashing
- minor spelling HOT 1
- Link to OWASP Top 10 is Dead HOT 2
- Clarify "Unrecognized hash format."
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crackstation.