How? Source for this statement?MartinTruckenbrodt wrote:Hello bantu,
no, this doesn't increase security.
It clearly does. When there is a SQL injection I get all the salts and all the user password hashes.
Your proposal:
1
saltu
user hashesI take my dictionary with
w
words and hash all the words with the hash function and the one salt.Complexity for hashing all words:
1 * w
Then I compare the results with all
u
user hashes.Per-password-hashes:
u
saltsu
user hashesAgain, I take my dictionary with
w
words and hash all the words with the hash function, but have to do this for every salt.Complexity for hashing all words:
u * w
Then I compare the results with all
u
user hashes.Also, the salt changes when the password changes.
Yeah, you can think that if you want. Again, please read up on Password Hashing and Salting. Buy a good crypto book or something.MartinTruckenbrodt wrote:I think it's more secure to have one salt in CONFIG_TABLE and all passwords in USERS_TABLE insteat of saving all salts and all passwords together in one table USERS_TABLE.
Use your favorite search engine and search for "rainbow table".MartinTruckenbrodt wrote:Still I don't believe that there are rainbow tables with hashes for random strings. Please show me a source for this statement.