Thread: Best way to use salts? View Single Post
 09-01-2009, 06:45 PM #17 (permalink) Village Idiot Wizard       Join Date: Sep 2007 Posts: 1,299 Thanks: 17 Since MD5 doesn't leave a footprint when you salt, any salt will make reverse engineering measures pointless. The only way they can get past a salt it to guess exactly where it was in the string and its exact value. Which is practically impossible when you don't know the original string. It in high theory is harder to guess a salt that long and complex, but for all practical purposes it is pointless. Edit: a quick mathematical layout A normal salt with only letters, numbers and punctuation marks that is twelve characters long has approximately 12^51 (~1.1x10^55) possible combination. While yours would have much higher number like 45^70 (~ 5.3x10^115). At one million guesses per second, it would take a computer 3.5x10^41 years to guess the plain salt. Yours would take 1.7x10^102. Neither of these account for the fact that the location is unknown (meaning each possible location is another one of these) and you cant verify your finding is correct without the original password to compare it against. It would take far less time to brute force the password itself opposed to reversing the hash. __________________