Re: Values to use for a salt?

• Previous message: Ton Geurts: "RE: Values to use for a salt?"
• In reply to: Marian Ion: "Re: Values to use for a salt?"
• Next in thread: Adi Kriegisch: "Re: Values to use for a salt?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 17 Dec 2003 11:49:28 -0500 (EST)
To: <marian.ion@e-licitatie.ro>

The problem is that if you let user's pick their own password they will
still pick crappy passwords. If you generate these uber-complex passwords
and just hand them to users they will write them down, or do other nasty
things. It is probably worh the effort of using a salt and requiring some
level of complexity in the passwords that the user can live with.

~Richard M. Conlan

> Hi all,
>
> Don't you think using extendedASCII set will dramatically increase the
> performance of any algorithm currently in use? Imagine what a pass like
> "|¤W-|[V.|1D-|`â-|Ë3-|%-|F0-| " means for a cracker: (selected from
> line 22 (I think...) from regedit.exe). Imagine using Unicode characters
> for keys ...
> Will you still need salt and others?
>
> Marian Ion
>
>
>
>
> ----- Original Message -----
> From: "Craig Minton" <CraigSecurity@blazemail.com>
> To: <secprog@securityfocus.com>
> Sent: Monday, December 15, 2003 9:32 PM
> Subject: Values to use for a salt?
>
>
>> My understanding is that salts are used to help deter dictionary
>> attacks
> where the attacker has created a pre-hashed list of passwords and
> comparing them against the actual hashed passwords. Using salts means
> the attacker must compute all possible values of the password in the
> dictionary plus by the possible salts, which makes it computationally
> unfeasable.
>>
>> Someone suggested recently of using the password as the salt. I have
> never seen this discussed before, and would like to get opinions of it.
> What would be wrong with this, especially if it were altered in some way
> before being used, such as using a simple replacement table to change
> letters to special characters? This way, the salt would not have to be
> stored because it would be a derivative of the password. How would this
> differ from the traditional approach of generating a random salt and
> storing with the hashed password?
>>
>> Also, how much less secure would it be to use a user ID as the salt
> instead of a random salt that then has to be stored? I've been thinking
> about these, but feel I am missing important ideas.
>>
>> Thank you for any thoughts you can give.
>>
>> -Craig
>>
>>
>> _____________________________________________________________
>> Fight the power! BlazeMail.com

• Previous message: Ton Geurts: "RE: Values to use for a salt?"
• In reply to: Marian Ion: "Re: Values to use for a salt?"
• Next in thread: Adi Kriegisch: "Re: Values to use for a salt?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]