Yep sure, it should harden the security of the hashes...depending of what kind of salt as well! :) But in that case some tools also improved and have heuristical techniques to go quicker.
The time needed depends of the softwares you are using! IBM Watson's Lab. or the NSA Labs shounld do this quicker than my laptop! :)
-----Message d'origine-----
De : Dean Saxe [mailto:Dean.Saxe_at_DigitalInsight.com]
Envoyé : jeudi 1 juillet 2004 18:35
À : Bénoni MARTIN; Toro, Daniel; Stan Guzik; Dave Andrews; webappsec_at_securityfocus.com; forensics_at_securityfocus.com
Objet : RE: Securing encrypted data in RAM vs MSSQL
Shouldn't a salt value added to the plaintext before hashing effectively make this kind of a dictionary attack much more difficult, if not impossible, to perform since you would have to recover the salt and plaintext?
-dhs
-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN_at_libertis.ga]
Sent: Thursday, July 01, 2004 1:19 PM
To: Toro, Daniel; Stan Guzik; Dave Andrews; webappsec_at_securityfocus.com; forensics_at_securityfocus.com
Subject: RE: Securing encrypted data in RAM vs MSSQL
Well, there is always a way to recover the real password or login from a hash...the matter's is the time it will take!
The method to "dehash" a hash is quite simple: as theorically a hash_1 can be produced by a single pass_1/login_1/..., we can create a huge amount of random pass_2/logins_2/..., hash them with MD5/SHA-1/... and then compare each of them with our hash_1. ASA the two hashes are the same, we can pick up the pass/login/... which produced hash_2. Quite simple but really long to perform.
BTW, Cain & Abel, John the Ripper and Crack can perform such recoveries...
:)
Received on Jul 01 2004
Intro
