Linked by Thom Holwerda on Mon 4th Jul 2011 21:43 UTC
Apple So, Anonymous, under the guise of its AntiSec campaign, has hacked an Apple server, got access to 27 administrator usernames and passwords, and put them on Pastebin. Is it time to panic? Is it time to point and laugh at Apple? Is it time to stop using iTunes? Not really - this is a small hack that will cause little to no damage.
Permalink for comment 479610
To read all comments associated with this story, please click here.
RE[3]: SHA1 hashed
by Alfman on Tue 5th Jul 2011 19:21 UTC in reply to "RE[2]: SHA1 hashed"
Member since:


"Actually, no. A sufficiently long salt (say at least 48 bits) makes pre-computed attacks unfeasible.
Of course, combining salting with key-stretching (as in bcrypt) makes it even more unfeasible."

This is not strictly true. You seem to be assuming that the salt is secret, however in a scenario where an attacker gets in through a web application vulnerability, the attacker will have access to the salt and will be able to build the reverse hash indexes based on it.

Consider the practical differences to the attacker who's building a reverse index.

foreach password {
insert hash->password where hash=H(password)
insert hash->password where hash=H(salt+password)

Salting alone does not create the computational complexity required to foil a permutation attack. In fact it's doubtful even to increase the complexity by a factor of 2.

What is needed is a way to increase forward hashing complexity such that building an index becomes prohibitively expensive and time consuming.

As I mentioned earlier, applying hash algorithms recursively is an effective way to do this. There are many possible variants of this idea, here are the two most obvious:


Reply Parent Score: 2