Re: Values to use for a salt?

From: Marian Ion (marian.ion_at_e-licitatie.ro)
Date: 12/17/03

  • Next message: Ton Geurts: "RE: Values to use for a salt?" 
    To: <CraigSecurity@blazemail.com>, <secprog@securityfocus.com>
Date: Wed, 17 Dec 2003 11:00:52 +0200

    Hi all,

    Don't you think using extendedASCII set will dramatically increase the
    performance of any algorithm currently in use? Imagine what a pass like
    "|¤W-|[V.|1D-|`â-|Ë3-|%-|F0-| " means for a cracker: (selected from line
    22 (I think...) from regedit.exe). Imagine using Unicode characters for keys
    ...
    Will you still need salt and others?

    Marian Ion

    ----- Original Message -----
    From: "Craig Minton" <CraigSecurity@blazemail.com>
    To: <secprog@securityfocus.com>
    Sent: Monday, December 15, 2003 9:32 PM
    Subject: Values to use for a salt?

    > My understanding is that salts are used to help deter dictionary attacks
    where the attacker has created a pre-hashed list of passwords and comparing
    them against the actual hashed passwords. Using salts means the attacker
    must compute all possible values of the password in the dictionary plus by
    the possible salts, which makes it computationally unfeasable.
    >
    > Someone suggested recently of using the password as the salt. I have
    never seen this discussed before, and would like to get opinions of it.
    What would be wrong with this, especially if it were altered in some way
    before being used, such as using a simple replacement table to change
    letters to special characters? This way, the salt would not have to be
    stored because it would be a derivative of the password. How would this
    differ from the traditional approach of generating a random salt and storing
    with the hashed password?
    >
    > Also, how much less secure would it be to use a user ID as the salt
    instead of a random salt that then has to be stored? I've been thinking
    about these, but feel I am missing important ideas.
    >
    > Thank you for any thoughts you can give.
    >
    > -Craig
    >
    >
    > _____________________________________________________________
    > Fight the power! BlazeMail.com
    >

  • Next message: Ton Geurts: "RE: Values to use for a salt?"

    Relevant Pages

    • Re: Importance of salt
      ... generate a key which is then used for encryption. ... The salt is used on ... The attacker really couldn't use his ... As for the iteration count... ...
      (microsoft.public.dotnet.security)
    • Re: Importance of salt
      ... That is the problem with using one-way hash ... The salt is used on ... The attacker really couldn't use his ... > even knows the correct iteration count used. ...
      (microsoft.public.dotnet.security)
    • Re: password salting
      ... For attacker, I assume pre-computed hash tables are just not that helpful ... You can only add so many iterations to ... |> If you have the salt and the hash, the salt does not make attacking ...
      (microsoft.public.dotnet.security)
    • Re: Iterative Password Hashing vs Strong Salt
      ... my salts are not known by the attacker. ... I cannot use the word "salt". ... The purpose of hashing is to help in situations where the attacker has ... You are combining secret client data and secret server data to form an encryption key which is then used to encrypt and store some data on the server. ...
      (sci.crypt)
    • RE: Password encryption
      ... If the salt is a randomly generated 256 bit value then stored statically in ... the total number of possible keys an attacker needs to try (with ... Making the data secure is not easy and it is actually a chain to secure ... Microsoft Online Community Support ...
      (microsoft.public.dotnet.framework)