Rainbowtable effectiveness?
Right now I am learning more about password auditing. Xatar can you let me know whether the following is correct. I think I have three options:
1) dictionary attack
2) brute force attack
3) rainbowtable attack
When I understand correctly in option 3 you calculate the hashes in advance.
So in principle you reach the effectiveness of a brute force and the efficiency of a dictionary attack.
I read that the rainbowtable attack is not usefull when the hash uses a SALT value.
I wonder whether this is true? See my thoughts below.
hash (password + SALT)
Let's say I have username 'admin' and password '12345'.
Which value does the hash function use for the SALT?
Would that be the value of the username, namely 'admin'?
Let's assume that the HASH calculates the following HASH VALUES for the two separate values:
for the username: admin the HASH is: xxxxx
and for the password: 12345 the HASH is yyyyy
I you calculate the hash for both values together would the HASH output be the same as above? In fact would the HASH value result in:
HASH (password + SALT)
=
HASH (12345 + admin)
=
yyyyyxxxxx
If that would be true you could create a rainbowtable based on generated random passwords and a variable you know the username 'admin'.
Of course as soon as the username is different in another audit. The generated rainbowtable would be useless and a brute force would have the same effect.
But if you use a commonly used username, let's say 'administrator' or 'admin'. The rainbowtable attack can be usefull and save some time.
@Xatar: are my conclusions correct or am I going wrong somewhere?
Thanks for your reply.
Regards,
Macamba
|