Why do salts make dictionary attacks ‘impossible’?

by

It doesn’t stop dictionary attacks.

What it does is stop someone who manages to get a copy of your password file from using a rainbow table to figure out what the passwords are from the hashes.

Eventually, it can be brute-forced, though. The answer to that part is to force your users to not use dictionary words as passwords (minimum requirements of at least one number or special character, for example).

Update:

I should have mentioned this earlier, but some (most?) password systems use a different salt for each password, likely stored with the password itself. This makes a single rainbow table useless. This is how the UNIX crypt library works, and modern UNIX-like OSes have extended this library with new hash algorithms.

I know for a fact that support for SHA-256 and SHA-512 were added in newer versions of GNU crypt.

More Related Contents:

  1. Where do you store your salt strings?
  2. Password hashing, salt and storage of hashed values
  3. Best Practices: Salting & peppering passwords?
  4. How can I hash passwords in postgresql?
  5. Do I need a “random salt” once per password or only once per database?
  6. Fundamental difference between Hashing and Encryption algorithms
  7. Difference between Hashing a Password and Encrypting it
  8. Salt Generation and open source software
  9. Is “double hashing” a password less secure than just hashing it once?
  10. How can bcrypt have built-in salts?
  11. Non-random salt for password hashes
  12. SHA512 vs. Blowfish and Bcrypt [closed]
  13. The necessity of hiding the salt for a hash
  14. What algorithm should I use to hash passwords into my database? [duplicate]
  15. md5 decoding. How they do it?
  16. How do I generate a SALT in Java for Salted-Hash?
  17. Why not use MD5 for password hashing?
  18. How to send password securely via HTTP using Javascript in absence of HTTPS?
  19. What is the clash rate for md5? [closed]
  20. XMLHttpRequest cannot load file. Cross origin requests are only supported for HTTP
  21. What is the best way to prevent session hijacking?
  22. Salt and hash a password in Python
  23. Will HTML Encoding prevent all kinds of XSS attacks?
  24. How to create a laravel hashed password
  25. How to properly do private key management
  26. OAuth2 and Google API: access token expiration time?
  27. What is the best Distributed Brute Force countermeasure? [closed]
  28. SSO with CAS or OAuth?
  29. What are best practices for securing the admin section of a website? [closed]
  30. Has Hardware Lock Elision gone forever due to Spectre Mitigation?

Leave a Comment