Quote:
Originally Posted by jim584672
It depends how they arrive at the salt value. The salt is designed to prevent a pre calculated rainbow table attack, which is basically what you are describing. If the salt is unknown to the attacker the hashes are secure.
|
True. I was going with "worst case scenario", where the bad guys get the salt when they steal the hashes. That's not a foregone conclusion, but you might imagine if they're rummaging around with database access, they might leave with salt as well as the hashes. It's much less useful for rainbow tables if the salt is different for each set of credentials, which I think is best practice. I'm not sure how wide that practice has become.