|
|
Re: Values to use for a salt?: msg#00038security.programming
So, I think the problem here is that terminology is getting garbled. If you just prepend 5__#$ to every password, and then treat the combined string as the password, you have NOT used a salt. However, you have made the password "more random" by ensuring, for instance, that none of the passwords are in a standard Webster's dictionary. The problem is that this is only a useful defense against a clueless attacker, since any decent attacker would just update the dictionary to account for the prepended 5__#$. Richard M. Conlan > > >> Most systems that I'm aware of use the same key, I presume for speed >> reasons. > > Or because they're written by people who don't know what > they're doing. > >> Since the key is added to the password before hashing it seems to me >> that it only serves to make the password more random. So "MyPassword" >> becomes "1234MyPassword". This has only made the password more >> random and generates the same hash code for every password that is >> "MyPassword". > > If you're going to salt, then you need to put the salt at the *END* of > the password. Otherwise the cracker can precompute the salt in the > hashing routine, and there's no speed difference between a salted > password and an unsalted password. > > SALTpassword <== precompute hash of SALT, then do all > possible passwords. > > passwordSALT <== compute each password followed by > salt - no precomputation possible. > > Always put the 'known' bit last. (Here assuming the salt is > either known (stored in the resulting hash) or knowable (it's > stored somewhere inside the application or application logic > and thus is essentially knowable anyway.) > >> Couldn't agree more and one benefit of using salt is that it creates >> more random passwords. > > I still have no idea what you really mean here. > > password+salt is not a password, it's a password+salt. > It's the 'thing to be hashed' but it's not the password > any more. > > > > -- > Brian Hatch Turning off setuid bits > Systems and of important unix tools > Security Engineer is like poking out an > http://www.ifokr.org/bri/ eye to prevent misuse. > -- Nick Esborn. > Every message PGP signed |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | RE: Values to use for a salt?: 00038, Kenneth Buchanan |
|---|---|
| Next by Date: | RE: Values to use for a salt?: 00038, Kenneth Buchanan |
| Previous by Thread: | Re: Values to use for a salt?i: 00038, Casper Dik |
| Next by Thread: | RE: Values to use for a salt?: 00038, Kenneth Buchanan |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |