Linked by Thom Holwerda on Wed 6th Jun 2012 22:30 UTC

Thread beginning with comment 521187
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:
2011-01-28
If the CPU/GPU hashing performance is sufficiently fast (due to parallelism), then your right rainbow tables might become a bottleneck instead of helping. I cannot vouch for your numbers, but if accurate then maybe we're already at a point where rainbow tables aren't necessary.
If one has already broken into a website though, it may be quite easy to modify the server code to capture the passwords when they are used before they are hashed at all.
"The accounts in the LinkedIn dump should be considered compromised with or without salt. Adding salt costs nothing, but it hardly makes a practical difference in the attitude you can take towards the crack."
Ideally if an advanced attacker can go through one trillion hashes per second (using parallelism), then you could hash your password recursively so the attacker's effective speed is rate limited to a few passwords per second. However obviously this places a rather large burden on servers just to run billions of hashes to slow the attackers down.
Edited 2012-06-07 15:23 UTC