Linked by Thom Holwerda on Mon 4th Jul 2011 21:43 UTC
Apple So, Anonymous, under the guise of its AntiSec campaign, has hacked an Apple server, got access to 27 administrator usernames and passwords, and put them on Pastebin. Is it time to panic? Is it time to point and laugh at Apple? Is it time to stop using iTunes? Not really - this is a small hack that will cause little to no damage.
Permalink for comment 479629
To read all comments associated with this story, please click here.
RE[5]: SHA1 hashed
by Alfman on Tue 5th Jul 2011 21:31 UTC in reply to "RE[4]: SHA1 hashed"
Alfman
Member since:
2011-01-28

"You're disagreeing with what most cryptographers say."

What specifically makes you say that? I have a strong background in cryptography, but I don't think this is necessary to understand why salting doesn't preclude a reverse permutation attack.

I assert:

1. A reverse hash index can be generated for plain password hashing (as evidenced by the link above). True/false?

2. The salting doesn't add significantly to the (time) complexity for forward hashing. True/false?

3. A reverse hash index can be generated for salted passwords in the same way it can be generated for unsalted passwords. True/false?

If any of these are false, please explain why you think so.


"Look at bcrypt. it does what I presume you're after."

I looked it up, but it's a file encryption utility and I'm not really clear about exactly you wanted me to look at.

I'm not "after" anything. Just pointing out that H(salt+password) is vulnerable to the same dictionary type attacks as H(password)

If someone were to ask me, I'd advice them to use an SHA2 HMAC for salting with no less than 1K iterations. 10K iterations would be better (and still only take 1ms to compute at login).

If a permutation attack previously took 2 days on a given cluster, it would now take 20,000 days (or 56 years) on the same cluster.


Of course, we're assuming the attackers even care about the passwords, which they may not since they've already obtained elevated privileges by this point.

Edited 2011-07-05 21:36 UTC

Reply Parent Score: 2