Yep. As other guy said, rainbow tables will probably snag a decent percent of real world passwords. The good passwords are safe, but Darth Helmet's luggage code will be easy pickens. And the people using bad passwords tend to reuse them.
Rainbow tables are completely ineffective once you introduce a salt of sufficient length to the password because you've now made the storage requirements exponential.
Since bcrypt uses a salt of 22 characters encoded as base64, this gives you a possibility of:
5444517870735015415413993718908291383296
combinations just for the salt alone. You're not going to be storing rainbow tables for that many salts much less the 31 character password+salt hash that follows.
Cert programs never cover the underlying details of cryptographic primitives, so I'm not surprised. Nor do they explain why things are the way they are.
If this is an area you're interested in, I would highly recommend the book Applied Cryptography by Bruce Schneier. There are others, but his is a great introduction on how a lot of this stuff works; it provides enough detail without getting buried in the weeds.
Thanks for the tip. I spent a while in academia and now I mostly learn for practical reasons like certifications, but also DIY and agriculture. I moved out to the sticks and spend more time identifying trees and observing animals than reading.
Yep. As other guy said, rainbow tables will probably snag a decent percent of real world passwords. The good passwords are safe, but Darth Helmet's luggage code will be easy pickens. And the people using bad passwords tend to reuse them.
They won't.
Rainbow tables are completely ineffective once you introduce a salt of sufficient length to the password because you've now made the storage requirements exponential.
Since bcrypt uses a salt of 22 characters encoded as base64, this gives you a possibility of:
5444517870735015415413993718908291383296
combinations just for the salt alone. You're not going to be storing rainbow tables for that many salts much less the 31 character password+salt hash that follows.
Read this response on SO for an explanation why.
Rainbow tables are only effective for something like MD5 without salting.
Read this on rainbow table defenses and on bcrypt specifically.
Cool. Thanks for the info. I have a cyber security cert, but salting was only covered briefly in the course and not mentioned in the test.
Cert programs never cover the underlying details of cryptographic primitives, so I'm not surprised. Nor do they explain why things are the way they are.
If this is an area you're interested in, I would highly recommend the book Applied Cryptography by Bruce Schneier. There are others, but his is a great introduction on how a lot of this stuff works; it provides enough detail without getting buried in the weeds.
Thanks for the tip. I spent a while in academia and now I mostly learn for practical reasons like certifications, but also DIY and agriculture. I moved out to the sticks and spend more time identifying trees and observing animals than reading.