RE: Values to use for a salt?
From: Ton Geurts (geurts_at_vanveen.nl)
Date: 12/17/03
- Previous message: Marian Ion: "Re: Values to use for a salt?"
- Maybe in reply to: Craig Minton: "Values to use for a salt?"
- Next in thread: Michael Wojcik: "RE: Values to use for a salt?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'secprog@securityfocus.com'" <secprog@securityfocus.com> Date: Wed, 17 Dec 2003 12:00:52 +0100
> My understanding is that salts are used to help deter dictionary attacks
> where the attacker has created a pre-hashed list of passwords and
> comparing them against the actual hashed passwords. Using salts means the
> attacker must compute all possible values of the password in the
> dictionary plus by the possible salts, which makes it computationally
> unfeasable.
>
> Also, how much less secure would it be to use a user ID as the salt
> instead of a random salt that then has to be stored? I've been thinking
> about these, but feel I am missing important ideas.
>
I don't know if my approach is a good one (probably not; I am no expert) but
I always store my UID, password in a database with a timestamp.
My password hash is md5(timestamp & md5(password)). That way every hash has
a unique salt that changes with every password change. It makes precomputed
dictionaries virtually useless. Unless you have direct database access.
Ton Geurts
geurts <shift+2> vanveen <.> nl
- Previous message: Marian Ion: "Re: Values to use for a salt?"
- Maybe in reply to: Craig Minton: "Values to use for a salt?"
- Next in thread: Michael Wojcik: "RE: Values to use for a salt?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
