GPEN · Question #409
GPEN Question #409: Real Exam Question with Answer & Explanation
The correct answer is B. Salts double the total size of a rainbow table database.. Adding salts to passwords forces attackers to generate a separate rainbow table for each unique salt value, making pre-calculated tables impractical and substantially increasing required storage and computation.
Question
Options
- ASalts increases the time to crack the original password by increasing the number oftables that
- BSalts double the total size of a rainbow table database.
- CSalts can be reversed or removed from encoding quickly to produce unsaltedhashes.
- DSalts have little effect because they can be calculated on the fly with applicationssuch as
Explanation
Adding salts to passwords forces attackers to generate a separate rainbow table for each unique salt value, making pre-calculated tables impractical and substantially increasing required storage and computation.
Common mistakes.
- A. Option A's text is truncated, but salts do not merely slow lookups within an existing rainbow table - they invalidate the entire pre-calculated table for any account using a different salt, requiring a full recomputation per unique salt.
- C. Salts are not reversible or strippable from a stored hash without knowing the original plaintext; the salt modifies the input fed to the hash function, so its effect cannot be algebraically removed from the output.
- D. Properly implemented per-password salts cannot be negated on the fly by cracking tools without first knowing each account's unique salt, making pre-calculated rainbow table attacks infeasible rather than merely slightly slowed.
Concept tested. Effect of password salts on rainbow table pre-computation attacks
Reference. https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
Community Discussion
No community discussion yet for this question.