Greg Stark <gsstark@mit.edu> writes:
> However with a known salt you only have to store the 1,000 hashes with the
> known salt. You could instead store a dictionary of 64 million password
> guesses in the same gigabyte.
This is still not responding to my original point though: if you know
the salt that was used, you can try brute-force scan of a few thousand
probable passwords in less CPU time than it will take to read a gigabyte
of precomputed hashes. The fact that common passwords are much shorter
than the fixed-size MD5 hashes works against you in a big way.
I think the only way for the defender to get any real traction is to not
store the random salt right next to the encrypted password, so that the
attacker who hypothetically has read pg_shadow still has to guess about
the salt that was used. If someone shows me a plausible way to do that,
I'm all ears.
> The threat model just doesn't apply.
This we agree on ...
regards, tom lane