Values to use for a salt?

From: Craig Minton (CraigSecurity_at_blazemail.com)
Date: 12/15/03

  • Next message: Casper ***: "Re: Values to use for a salt?" 
    Date: Mon, 15 Dec 2003 11:32:12 -0800 (PST)
To: secprog@securityfocus.com

    My understanding is that salts are used to help deter dictionary attacks where the attacker has created a pre-hashed list of passwords and comparing them against the actual hashed passwords. Using salts means the attacker must compute all possible values of the password in the dictionary plus by the possible salts, which makes it computationally unfeasable.

    Someone suggested recently of using the password as the salt. I have never seen this discussed before, and would like to get opinions of it. What would be wrong with this, especially if it were altered in some way before being used, such as using a simple replacement table to change letters to special characters? This way, the salt would not have to be stored because it would be a derivative of the password. How would this differ from the traditional approach of generating a random salt and storing with the hashed password?

    Also, how much less secure would it be to use a user ID as the salt instead of a random salt that then has to be stored? I've been thinking about these, but feel I am missing important ideas.

    Thank you for any thoughts you can give.

    -Craig

    _____________________________________________________________
    Fight the power! BlazeMail.com

  • Next message: Casper ***: "Re: Values to use for a salt?"
    • Quantcast