It looks like it uses a randomly generated unique 128bit salt from crypto.getRandomValues, can you explain what it is doing wrong to be rainbow attack resistant?
The bounty password looks like 2 names, a type of flower, and a two word object. That significantly reduces the search space. Though, it's likely at least one of those words are non-standard or wouldn't be found in any wordlist.
This is the kind of password I use to protect my actual secrets. So if someone is able to crack it, I'd like to know. The bounty is for a 'realistic' use case.
If you want to avoid wordlist vulnerabilities, try this:
Choose a lyric from a favorite song. Concatenate the first letter of each word in the lyric. Example:
“Rock the Casbah
Sharif don't like it”
Becomes:
rtcsdli
Add capitalization or numbers/special characters according to your own pref. For example, maybe your decide to alternate lower and upper case and always end with a bang:
rTcSdLi!
Although you have to use the same capitalization rules for all passwords if you have any hope of remembering them.
That is security by obscurity. If somebody knows your method, they can scrape the lyrics for all popular songs, narrow your password down to a few million possible passwords and just try them all.
10s of thousands of popular songs, dozens of lines per song.
> Although you have to use the same capitalization rules for all passwords if you have any hope of remembering them.
So no additional combinations from that. Your algorithm is simple and common enough that it's possible that an attacker can figure it out from a single leaked password. With one leaked password they've compromised all of your passwords to anything they have the capability of trying a few million passwords on.
You wrote Pooh songs. Not me. There are millions of songs with lyrics. Billions of lines of lyrics. Trillions of combinations that include upper and lower case. Good luck.
Yeah, plus they even give hints to the password complexity, so unless that is a red herring, this should be pretty simple to crack, if not CPU consuming.
Just combine https://github.com/mejdoubi/rainbow-table and their algorithm together. It would probably take me a few hours to put together, but for someone who is very familiar with cryptography, it would be minimal work.
I think the author of that repo misunderstands what a rainbow table is. I only quickly skimmed the code, but it doesn't seem to do anything related to rainbow tables.
On top of that, a rainbow table (if that is what you're looking to use) would not help here. The password is both very long and salted.
The repo was just a quick example of how one would use a rainbow table to crack the password. Yes, the fact that it only generates a simple rainbow table means that it isn't the holy grail to the exercise, but the idea of a rainbow table is that someones out there have already been running and generating a rainbow table for many years.
