[ShadowAce]

The salt hash only puts in something unique per user then hashes it.

Yes, but look at it from this perspective. Rainbow uses a brute force method. It checks every possible combination to crack the password. Now add on a 4-digit (some are larger) unique ID to the beginning of the hash, and you increase the possibilities by 7,311,616 times. So--take Rainbow's 64GB table, multiply it by 7.3MB, and your table now becomes over 467TB. The time it would take to go through all that, makes it essentially unbreakable with today's speed and technology.

[for-q-clinton]

Yes, but look at it from this perspective. Rainbow uses a brute force method. It checks every possible combination to crack the password. Now add on a 4-digit (some are larger) unique ID to the beginning of the hash, and you increase the possibilities by 7,311,616 times. So--take Rainbow's 64GB table, multiply it by 7.3MB, and your table now becomes over 467TB. The time it would take to go through all that, makes it essentially unbreakable with today's speed and technology.

This isn't accurate. If windows has a policy for 12 character password with uniqueness (letters, caps, special) and Linux has a policy set to only 8 character passwords, then they'd be about the same.

[for-q-clinton]

Also that just proves Rainbow Crack isn't 100% against windows passwords (or even 90% with the right password policy).

Don't get me wrong, salting is a good thing, but it's not the fool proof against brute force. It's more of a way to help protect dumb admins that allow weak/short passwords.

Oh ya, as far as Rainbow goes...my brief reading of it says you can tailor the hash table to what you need. So if you know the linux password is 8 and the salt is 4...you'd start with 12 character passwords to hash. So Linux is just as vulnerable.