undefined | Better HN

0 pointsakerl_11y ago0 comments

No, because then the person generating their table just takes that into account. It's slighly harder, but not noticeably so compared to how secure it needs to be.

0 comments

2 comments · 1 top-level

sillysaurus311y ago· 1 in thread

It seems like as long as the complexity of the passphrase is sufficient, then a rainbow table can't be effective. For example, a 128-bit random AES key is a kind of passphrase that's generally not susceptible to a rainbow table attack (though it's very hard for humans to remember). So the problem here is, how do you force the user to make their passphrase sufficiently complex?

Passphrases also don't protect against keyloggers, which is a downside of this approach.

akerl_OP11y ago

You force the password to be sufficiently complex by doing what you said: creating it (pseudo)randomly. The aforementioned 128 bit random AES key is robust, assuming the PRNG is solid. A user-provided password utilizing the human mind as its PRNG will never come close.

j / k navigate · click thread line to collapse