Re: Values to use for a salt?

Hi all,

Don't you think using extendedASCII set will dramatically increase the
performance of any algorithm currently in use? Imagine what a pass like
"|¤W-|[V.|1D-|`â-|Ë3-|%-|F0-|   " means for a cracker:  (selected from line
22 (I think...) from regedit.exe). Imagine using Unicode characters for keys
...
Will you still need salt and others?

Marian Ion




----- Original Message ----- 
From: "Craig Minton" <CraigSecurity@xxxxxxxxxxxxx>
To: <secprog@xxxxxxxxxxxxxxxxx>
Sent: Monday, December 15, 2003 9:32 PM
Subject: Values to use for a salt?


> My understanding is that salts are used to help deter dictionary attacks
where the attacker has created a pre-hashed list of passwords and comparing
them against the actual hashed passwords.  Using salts means the attacker
must compute all possible values of the password in the dictionary plus by
the possible salts, which makes it computationally unfeasable.
>
> Someone suggested recently of using the password as the salt.  I have
never seen this discussed before, and would like to get opinions of it.
What would be wrong with this, especially if it were altered in some way
before being used, such as using a simple replacement table to change
letters to special characters?  This way, the salt would not have to be
stored because it would be a derivative of the password.  How would this
differ from the traditional approach of generating a random salt and storing
with the hashed password?
>
> Also, how much less secure would it be to use a user ID as the salt
instead of a random salt that then has to be stored?  I've been thinking
about these, but feel I am missing important ideas.
>
> Thank you for any thoughts you can give.
>
> -Craig
>
>
> _____________________________________________________________
> Fight the power!  BlazeMail.com
>