26.06.2013, 16:39
I'm reading up on password security, and I'm a bit confused about salting. If a rainbow table/lookup table can be made for all the possible passwords, surely if they know the salt for a password, they can create a table for it with every possible word plus the salt?
If I have this database:
* Obviously the plaintext passwords won't be stored :P
If I wanted to find out Steve's password, wouldn't I just be able to add the salt (which I know, because it's stored in the database..) to the rainbow/lookup table? For example I could check the following hashes:
"apple" + "FNkwqx4X" = bf9bbcf9faf59333a9467e878ef7e88c61ae3381ee7fb68522 1ba88a2bc127e2 (WRONG)
"grapefruit" + "FNkwqx4X" = f7213a8e2d934c14487daf5a4fac6d7e6a742f8982584cb1cf a6adb62e8a82cb(WRONG)
...
"banana" + "FNkwqx4X" = 969fb8ae699480dd843181b14c859c57c444d4e890f539080b aac03c8a90556f (CORRECT)
I must have the wrong idea. If someone could explain, thanks.
To get the hash, I just joined the strings like so: SHA256('bananaFNkwqx4'). Not sure if that's how it's meant to be done though.
If I have this database:
* Obviously the plaintext passwords won't be stored :P
If I wanted to find out Steve's password, wouldn't I just be able to add the salt (which I know, because it's stored in the database..) to the rainbow/lookup table? For example I could check the following hashes:
"apple" + "FNkwqx4X" = bf9bbcf9faf59333a9467e878ef7e88c61ae3381ee7fb68522 1ba88a2bc127e2 (WRONG)
"grapefruit" + "FNkwqx4X" = f7213a8e2d934c14487daf5a4fac6d7e6a742f8982584cb1cf a6adb62e8a82cb(WRONG)
...
"banana" + "FNkwqx4X" = 969fb8ae699480dd843181b14c859c57c444d4e890f539080b aac03c8a90556f (CORRECT)
I must have the wrong idea. If someone could explain, thanks.
To get the hash, I just joined the strings like so: SHA256('bananaFNkwqx4'). Not sure if that's how it's meant to be done though.