Question

I hash my passwords with MD5. I'm not really concerned about hashing them using the best algorithms out there, because I believe that adding the most random salt a simple MD5 hash cannot be recognized by the so called "MD5 DECODERS". The only thing that's bugging me is brute forcing. I was wondering if it will make any difference if I included characters from different alphabets ( arabic, chinese, japanese, cyrillic ) in the salt of my passwords. Question being if that is going to complicate brute forcing?

Was it helpful?

Solution 2

Of course it makes the Brute Force attack harder. When doing a Brute Force you simply try all combinations out of a limited pool of chars. Which will most likely not contain arabic, chinese, japanese, cyrillic chars. It is unlikely that someone that wants to attack your password is choosing a pool with these chars because with increasing pool size the time to get the password is increasing exponentially.

You can calculate the amounth of combinations like this -

Charpool = 52 (lowercase + uppercase alphabet)

Combinations = 52^Length

Which will resolve in 380204032 combinations for a 5 letter password.

But to answear your question - yes it will make brute forcing more complicate. Not only because the increased charpool but even more with the fact that the attacker has to include these exotic chars in his attack.

OTHER TIPS

Of of the advatagaes of salting a password hash is to reduce the risk of using lookup lists (etc.) if the list of hashes is compromised.

For the purposes of illustration, consider;
Alice has password, "Ford" which hashes as value x Bob also has password, "Ford" which still hashes as value x

Now, if the user/hash list is compromised and Alice's password is brute forced, then the attacker can also compromise bob's account.

Having a fixed salt doesn't help matters, as whilst the passwords may be the same between the two users, the result of the hash will be different from previously, but would be the same for both users. Finding a password for Alice will also work for Bob.

Salting the password with a deterministic string per user (it must be deterministic, as you have to use the same thing for the user each time) now means that even if Alice and Bob have the same password, their hashes may differ (perhaps if the salt was their username). Anyone trying to compromise the accounts now has to brute force every user to compromise the list.

So, with this knowledge of why hashes are usefull, you get to the next point; do the characters matter? If you consider a 16 byte hash (such as MD5, which really shouldn't be used for cryptographic purposes, but you already knew that), that gives you 128 bits of entropy. If you have a password policy that has a decent minimum password length, and perhaps requires a good mix of characters (even € is good enough to be a multi-byte character in UTF-8, which will give entropy over all 8 bits of the character in the way that Kanji would), then any (per user) salt would work equally well.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top