A proper KDF is more important if you are trying to break a specific user's pass... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		davis_m on April 1, 2015 \| parent \| context \| favorite \| on: Enough with the Salts: Updates on Secure Password ... A proper KDF is more important if you are trying to break a specific user's password. It will simply take too long to try any reasonable number of attempts. However, in the event that you have a large database leak individual salts become just as important. When looking thousands of users, unsalted hashes allow attackers to start with the most common passwords used and compare them to the entire leaked database in one try.

kasey_junk on April 1, 2015 [–]

Are there any proper KDFs that don't include a random salt?

boogboog on April 1, 2015 | [–]

this whole discussion is a red herring. Of course all current KDFs include salting as a form of key stretching. That's because no one designing them is writing off rainbow table attacks.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact