I\'m asking my question here since I was not able to find an answer anywhere. I

Question

I'm asking my question here since I was not able to find an answer anywhere. I have written a piece of software which stores pretty delicate passwords. I have used BCrypt as hashing algorithm with an appropriate setting of strength. Point is, I have now implemented a method which, everytime the user changes something, chooses a new random salt and hashes the passwords using the new salt. Now worst case scenario would be that someone has, say, one hundred pairs of the passwords hash with the used salt. My question is if this information would help an attacker, and if yes, to which extent.

Thanks to everyone who takes his time to read/answer my question in advantage. Cheers, Tephelon

Explanation / Answer

Assuming you mean an attacker has 100 copies of the same password hashed with 100 different salts, then no, that doesn't provide any advantage to them in findings the plaintext password. The benefit of using different salts means that cracking attempts aimed at any one of the hashes must be done independently of the computational work used for the others.

In theory an attacker could build a rainbow table with bcrypt hashes using a specific salt. By increasing the number of salted hashes you increase the likelihood of one of your salted hashes matching the salt they built their rainbow table with. However, if your salt is chosen from a reasonable pool of possibilities then this has an infinitesimally small chance of paying off for the attacker.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.