Quote Originally Posted by K. Wolfe View Post
Right, pre computed hashes. So if i know the salt for the entire db, I rehash my dictionary with that salt. How long will that take? One could write a pretty simple application that takes the salt from each record, re hashes the dictionary for that single record, checks for a match, moves on to the next.

Does anyone know how large dictionaries usually are and how long it might take to rehash the entire db once through on a decent machine?
If the DB has only a static salt, then here's what an attacker would probably do: hash(Salt + common password such as "abc123"), then search the database for that hash. If any user in your entire DB used that password, then in one fell swoop, the attacker would have identified the password for one or maybe multiple users. But if every user has a unique salt, then the attacker can't check all passwords at once. He would need to re-compute the hash for each user.

How much time it would take depends on the objective and password strength. If the attacker is looking for any random user with a weak password so that he can exploit that user on other sites, then it probably won't take much time. Let's say he has a list of 5 thousand most common passwords, 1 million users in your DB, and 1 ms to compute a hash, then it would take about 2 months to identify the users with weak passwords. (Though, password strengthening can increase that compute time by 100x or 1000x.) On the other hand, if the objective were to attack your site specifically by brute-forcing the admin password (hopefully a strong password of at least 8 mixed case, numbers and symbols) then it would take a couple hundred thousand years.