Without a salt, the same password always results in the same hash, so given a list of common passwords, the attacker can generate the hash for each of them once and compare the result to as many stored hashes as they want. So we generally ignore the comparisons, and just count how many hashes need to be generated. Importantly, the hashing operation is much more expensive than the comparison, particularly if using an algorithm designed for the purpose like bcrypt, scrypt, PBKDF2, or Argon2 (SHA-256 is designed to be fast, for data verification, so is not a good choice). Compare a calculated hash against the stored hash for some user.There are two things the attacker needs to do to recover a password:
0 Comments
Leave a Reply. |