Full Disclosure: Re: Salted passwords

[T Biehn <tbiehn () gmail com>]

Valdis,
I don't have control over the set. Sorry I wasn't more explicit about
this. Although, it should have been obvious that the solution needed
to satisfy the conditions:
Data to one way hash.
The set has 9,999,999,999 members.

Thanks for your input sweetie!

-Travis

On Mon, Aug 10, 2009 at 4:26 PM, <Valdis.Kletnieks () vt edu> wrote:
> On Sun, 09 Aug 2009 20:14:57 EDT, T Biehn said:
> > Soliciting random suggestions.
> > Lets say I have data to one-way-hash.
> > The set has 9,999,999,999 members.
> Actually, if you're using a 10-digit decimal field, you probably have 10**10
> possible members - all-zeros counts too (unless there's *other* reasons zero
> isn't a legal ID).  It's those little off-by-one errors that tend to get you.
> ;)
>
> > It's relatively easy to brute force this, or create precomp tables.
> That's because you only have 10M billion members to brute force against.
>
> > So you add a salt to each.
> A better idea cryptographically would be to fix the 10**10 member limit, so
> that the set *could* have a much higher possible number of members.  Even
> staying at 10 characters, but allowing [A-Za-z0-9] (62 possible chars) raises
> your space to 62**10 or about 8.3*10**17 (or almost 10M times the difficuly).
> That's why most symmetric crypto algorithms use at least 64-bit or even larger
> keys, and even larger for RSA and similar public-key systems.


-- 
pgp http://pastebin.com/f6fd606da pgp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/