I researched password hashing and cracking and I’ve some misconceptions:
First rule of thumb to create a robust password is to make use of 10+ mixture of digits/higher/decrease/symbols to stop brute power assaults.
Then the issue can be provided that the password is a member of a pre-made desk (whether or not it was lengthy or quick password).
To illustrate the password is QWERTY and assume that:
Hash(QWERTY) = $$$$
Hash(QWERTY+134565654) = ####
Hash(QWERTY+876964786) = &&&
And let’s take into consideration how salt will assist:
For brute power:
The unsalted one $$$$ is simple to brute power
The salted ones #### and &&& are more durable to brute power as a result of they’re longer and even when they have been brute-forced the hackers will not know the password except they’ve the salt
For rainbow tables:
The unsalted one is simple to look in rainbow desk with $$$$
The second if you search for a rainbow desk for #### you will not discover something
For rainbow tables, if the hacker has the salt when he broke the database:
The hacker has #### and has 134565654
The hacker might want to implement a brand new rainbow desk for all of the recognized passwords with appending 134565654 to them till he finds that #### matches QWERTY+134565654 and is aware of the password
Since each consumer has their very own salt, cracking User1 password from making a 134565654 particular rainbow desk, will not assist the hacker to know that Consumer 2 has the identical password, so the hacker might want to do one other 876964786 particular rainbow desk for this consumer
It takes longer time to crack 1 password however is not it nonetheless possible with fashionable GPUs permitting to create quick Rainbow tables?
In contrast to the earlier instance (the place the salt can be saved in a separate column for instance) bcrypt computes the salt via rounds (say 10), so it runs the gradual bcrypt hashing algorithm 10 occasions on the password earlier than storing within the database and earlier than verifying consumer login.
Because the bcrypt algorithm is thought, why would not hackers create a bcrypt rainbow desk for every spherical? So this manner they may create simply 31 bcrypt rainbow tables for the frequent and quick lengths passwords?
If what I am saying is true, does this imply that salting helps solely towards brute power with out salt worth uncovered, however would not actually assist towards robust GPUs with the salt worth?