Wednesday, 31 March 2010

Seasoned Authentication

Lots of systems that employ user authentication obscure users' passwords using a hashing routine such as MD5 or SHA1, which produce hash strings of 32 or 40 characters respectively.

These hashing algorithms are one-way only, so although the MD5 of 'My Password' is '14ddb8585ddfc6c4670b9c18aed1fe8b', there is no way to return 'My Password' by running code against '14ddb8585ddfc6c4670b9c18aed1fe8b'.

However, most users do not use particularly secure passwords, so if a cookie containing a hashed password is stolen, the thief may be able to bombard the hash with the MD5 hashes of dictionary words in order to find one that matches. MD5 runs extremely quickly, and a modern computer can perform millions of these comparisons every second.

Rainbow Tables

Even if users use secure passwords, it is possible to work out what the original password may have been by using a rainbow table. This is look-up table that store the hashed values of vast numbers of plain-text strings. If the user's password is among the plain-text strings in the table, its hash will match the hash stored, and the security is broken.

Salting Passwords

One way to combat the threat posed by rainbow tables is to 'salt' the password hashes
with a random string of text that is stored un-hashed in a secure location. The password hash is then generated using md5(salt . md5(password)), or a similar method that hashes the salt with the password.

The use of salting can make rainbow tables redundant, as a separate table needs to be generated for every possible salt value. However, modern computers are very fast and hashes can be generated very quickly, so a short salt length may make the task of breaking the hash with a rainbow table feasible. In order to combat this, a longer salt length may be employed.


It is important to note that salting is only effective if the person attempting to break the password hash does not know the salt value. If the salt value is known by the attacker, the attacker can simply start running the (known) hashing routine against the potential password plus the (known) salt until a match is made.

Therefore, if a hacker exploits a vector to gain access to a password database and the salt values are stored together with the password hashes, it will not matter if the salt value is three characters or three-thousand - exactly the same amount of work is required to and break the hash.


  1. Ah yes ......... the old "Condiments left on the table attack" ........... cunning

  2. To be fair, it still takes a while to generate a rainbow table. The smaller a salt is the bigger the chance that a pre-built table for that salt can be found, saving quite some time.

    On the basis that you need to build the table anyway, you're right - but that in itself would take quite a while.

  3. Colin, there are irc channels on ircnet/efnet that have been around for 7+ years .. imagine the size of their rainbow databases. And that's a public service.

  4. vBulletin 4.0 is rubbish stuff now, just letting you know that vBulletin 3.0 is so much better. Why did you leave anyway? Is it because internet brands took over? Did you have to leave? Or did you make the decision yourself?

    Either way, vBulletin is a load of bollocks now and it's surely ruined for a long time.

  5. Bạn là chủ xe và đang cần tìm hàng vận chuyển? Bạn là người cần tìm xe vận chuyển hàng? Vậy bạn hãy ghé vào sàn vận tải nội địa đây là nơi sẽ giúp bạn tìm thấy thứ bạn đang cần tìm. Hiện nay, chúng tôi tự hào là một trong những đơn vị cung cấp giải pháp vận chuyển hàng đầu hiện nay. Với các dịch vụ vận chuyển hàng hóa nội địa, vận chuyển Bắc Trung Nam, vận chuyển hàng đông lạnh bắc nam,... Đến với chúng tôi bạn sẽ không cần lo lắng tìm hàng hay tìm xe để vận chuyển hàng. Hiện nay thì các tuyến vận chuyển chúng tôi đang có thể kể đến như: vận chuyển hàng đi bạc liêu, vận chuyển hàng đi vũng tàu, vận chuyển hàng đi bắc ninh, vận chuyển hàng đi bến tre,... Để biết thêm thông tin hãy liên hệ với chúng tôi nhé.