How should one defend against an off-line brute force password attack?

Question

I was wondering if it was a common practice to salt and hash a password like

E(padding || hash(salt || password))

where || is concatenation and E uses RSA for example. I'm primarily asking this question for transport of a password database (not online storage where the server would have the private key to decrypt the encrypted password at all times).

I know that a cryptographic hash should be irreversible, but an off-line brute force attack on weak passwords would easily reveal a password. To eventually decrypt a record in this database, the server will know the length of padding and simply take away padding to reveal hash(salt || password).

This is not a typical problem, but I couldn't find a reference as to someone having to properly transport a password database and defend against an offline attack.

Answer 1

Encrypt the password file with something strong, then it doesn't matter how the passwords are stored inside the file.

Ie. use something like PGP for transport.

I noticed that this answer has been downvoted once, before someone else upvoted it, and just thought I would clarify it, since I suspect the person that downvoted my answer didn't actually read the question. On the other hand, perhaps full encryption of the entire file is not possible for the person asking the question. This would be a handy clarification in the question if that is the case.

Anyway, the question specifically states that this is about transporting the data(base). It also specifically states that this is not about online storage and usage.

As such, using a safe and secure encryption method for the entire file is really the best way to go, as then you're not limited to having to manipulate the file contents to try to mask each individual password.

Instead, the whole file would be meaningless, and if more than just the password file is to be transported, it would be lumped together with, and thus encrypted together with, a lot more data, making the process of identifying the passwords nearly impossible as well.

The attacks on such encrypted files are a lot less likely to succeed, if you pick a reputable encryption algorithm and implementation (PGP, GPG, etc.), than inventing something yourself, or at the very least making it easy for the attacker to find the individual passwords in small chunks.