Hacker Newsnew | comments | ask | jobs | submitlogin
ghshephard 571 days ago | link | parent

It's implicitly understood by everyone who cares about this topic that salting is intrinsic to KDFs. I.E. by the time you've read through, and understood http://codahale.com/how-to-safely-store-a-password/, you understand why "salting" your password gains you nothing, because rainbow tables are no longer particularly relevant to cracking passwords. And yes, while there is salting inherent to KDFs, that's not the major feature of them, but an assumed implementation detail.


ZoFreX 571 days ago | link

> rainbow tables are no longer particularly relevant to cracking passwords

If you use a common hash with no salt you can bet your britches the attacker will use rainbow tables!

It's also worth pointing out that rainbow tables aren't the only attack you are exposed to if you don't salt your passwords - it also prevents finding collisions, and massively slows down forward hashing attacks.

-----

sk5t 571 days ago | link

Negative on that. Not all algorithms produce the salt internally like bcrypt does--programmers must still be careful to supply a sufficiently lengthy random salt as input to PBKDF2, for example. Labeling folks who know this as stuck in the past or ignorant is a mistake.

-----




Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library

Search: