undefined | Better HN

0 pointsmtrimpe11y ago0 comments

> 1. Empirically: most of the applications I reviewed that used bcrypt simply used the defaults.

Isn't that a security risk of it's own though? Wouldn't creating a rainbow table for (non-salted) passwords hashed with the default bcrypt settings then make sense again?

0 pointsmtrimpe11y ago0 comments

> 1. Empirically: most of the applications I reviewed that used bcrypt simply used the defaults.

Isn't that a security risk of it's own though? Wouldn't creating a rainbow table for (non-salted) passwords hashed with the default bcrypt settings then make sense again?

0 comments

5 comments · 1 top-level

tptacek11y ago· 4 in thread

No.

mtrimpeOP11y ago

Why?

Also; if you don't feel like writing a useful response feel free not to respond at all.

redler11y ago

Because bcrypt automatically generates and adds a salt every time it's invoked. Every bcrypt hash has a different salt. Hashing the same plaintext ten times will produce ten different hashes.

1 more reply

tedunangst11y ago

One of the things that make these password hashing threads astonishingly tedious is that somebody who has never so much as googled "bcrypt" always chimes in with "but what about the rainbow tables???".

1 more reply

teraflop11y ago

Because bcrypt uses a salt, so a "rainbow table for non-salted passwords" would be utterly useless.

j / k navigate · click thread line to collapse

0 comments

5 comments · 1 top-level

tptacek11y ago· 4 in thread

No.

mtrimpeOP11y ago

Why?

Also; if you don't feel like writing a useful response feel free not to respond at all.

redler11y ago

Because bcrypt automatically generates and adds a salt every time it's invoked. Every bcrypt hash has a different salt. Hashing the same plaintext ten times will produce ten different hashes.

1 more reply

tedunangst11y ago

1 more reply

teraflop11y ago

Because bcrypt uses a salt, so a "rainbow table for non-salted passwords" would be utterly useless.

j / k navigate · click thread line to collapse