RE: Values to use for a salt?

• Previous message: Chris Alfeld: "Re: Values to use for a salt?"
• Maybe in reply to: Craig Minton: "Values to use for a salt?"
• Next in thread: Marian Ion: "Re: Values to use for a salt?"
• Reply: Marian Ion: "Re: Values to use for a salt?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: secprog@securityfocus.com
Date: Wed, 17 Dec 2003 09:58:18 -0800

> From: Marian Ion [mailto:marian.ion@e-licitatie.ro]
> Sent: Wednesday, December 17, 2003 4:01 AM
 
> Don't you think using extendedASCII set will dramatically increase the
> performance of any algorithm currently in use? Imagine what a
> pass like "|¤W-|[V.|1D-|`â-|Ë3-|%-|F0-| " means for a cracker: ...

Enlarging the password alphabet has the same effect as lengthening the
password. The larger the domain of possible passwords, the more space an
attacker has to search. That's a basic characteristic of passwords which
should be familiar to anyone working with password-based authentication.

> Will you still need salt and others?

That depends on your threat model and the strength of the passwords you're
protecting. Even if your system allows strong passwords, users may use weak
ones if they're allowed to do so. If your threat model includes defending
against an attacker who has resources to precompute a dictionary that
includes the weakest passwords permitted by your system, then adding salt
would be a way to address that threat.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus

• Previous message: Chris Alfeld: "Re: Values to use for a salt?"
• Maybe in reply to: Craig Minton: "Values to use for a salt?"
• Next in thread: Marian Ion: "Re: Values to use for a salt?"
• Reply: Marian Ion: "Re: Values to use for a salt?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]