If we take encrypt to mean hash (which is probably what the implementation would most likely mean), this still has the same problem that server-side hashing does. Hashing is fast, GPUs can burn through creating rainbow tables at incredible speed (see http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-am... ). Now if it's talking about implementing bcrypt (http://codahale.com/how-to-safely-store-a-password/) in the browser that would be a real solution, but them the problem becomes adoption (at which point, you basically need to implement it on the server anyways). Plus, users would need to be signaled that this was a safe password box, vs. an unsafe one (which could easily be spoofed by malicious sites).
Next, note that rainbow tables don't enter into the Gawker break; Gawker used DES crypt(3) passwords, which can't readily be "rainbow tabled".
Finally, note that if you're going to advocate for a browser authentication change, there are cryptographically sound protocols that have been studied for over a decade that fit the bill far better than half-measures that do nothing but break "rainbow tables". A good one to start reading up on is SRP.
Does anyone have any more specific information on whether they just called crypt(key,salt) or actually used a larger salt with a call to encrypt()? The crypt() function only takes a 12 bit salt which is marginally helpful against rainbow tables.
You wouldn't need 4096 if the choice of the salt was non-random; some versions of Unix used the first 2 characters of the username. What's the space requirement for a single rainbow table?
11 comments
[ 7.7 ms ] story [ 44.2 ms ] threadFirst, read: http://codahale.com/how-to-safely-store-a-password/
Next, note that rainbow tables don't enter into the Gawker break; Gawker used DES crypt(3) passwords, which can't readily be "rainbow tabled".
Finally, note that if you're going to advocate for a browser authentication change, there are cryptographically sound protocols that have been studied for over a decade that fit the bill far better than half-measures that do nothing but break "rainbow tables". A good one to start reading up on is SRP.
No TV and no beer makes Homer something something.
No TV and no beer makes Homer something something.
Oh dear. That'll never happen (examples: CSS, Html5 video, Javascript), which means this idea is dead in the water.