[Cryptography] CSPRNG for password salt
Stephan Neuhaus
stephan.neuhaus at tik.ee.ethz.ch
Wed Aug 20 03:14:39 EDT 2014
On 2014-08-20, 03:43, John B wrote:
> Hi all,
>
> Some research on the interwebs turned up the recommendation that a password
> hash's salt should only be generated with a cryptographically secure PRNG.
> Some sources specifically mention *not* using rand() and friends.
>
> What are the reasons for this? Specifically:
> a) What is the attack on a password hash generated with non-CSPRNG salt
> such as a rand() call?
> b) How realistic/plausible is such an attack?
a) The only "attack" I can think of is that rand() (IIRC) is a 32-bit
RNG, which would mean that after 2^16 generated salts, one should start
seeing collisions. And *if I knew in advance what that collision was*,
I could now hack two passwords as cheaply as one through a prepared
dictionary using that salt.
b) Now a salt is not an IV, so even with a collision, no keystream is
repeated, so I'm doubtful that even doubling the probability of success
counts for very much. I think it's much more likely that some user's
password is 123456 or something easily crackable, so the answer to that
is "not very".
Fun,
Stephan
More information about the cryptography
mailing list