Re: virtue of salted passwords
From: yawnmoth (terra1024_at_yahoo.com)
Date: 11/21/05
- Next message: raving.loonie_at_gmail.com: "Re: Kadaitcha Man ~~~~> If it walks like a duck, talks like a duck, looks like a duck ..."
- Previous message: yawnmoth: "Re: virtue of salted passwords"
- In reply to: +Alan Hicks+: "Re: virtue of salted passwords"
- Next in thread: Donnie: "Re: virtue of salted passwords"
- Reply: Donnie: "Re: virtue of salted passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 21 Nov 2005 14:02:27 -0800
+Alan Hicks+ wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> <snip>
> Not necessarily. Password hashes can be retrieved in any number of
> ways. There are no garauntees that an attacker who can find a password
> hash would also retrieve the salt at the same time.
Any ideas as to how to make it harder to retrieve salts for web
applications? One idea would be to have two seperate databases with
different passwords. One database would contain the salt and the other
would contain the hash. Although this would make it that much harder
for both to be revealed via sql injection, it doesn't really seem all
that feasable a solution. Another idea would be to store salts using
text files and hashes in databases...
- Next message: raving.loonie_at_gmail.com: "Re: Kadaitcha Man ~~~~> If it walks like a duck, talks like a duck, looks like a duck ..."
- Previous message: yawnmoth: "Re: virtue of salted passwords"
- In reply to: +Alan Hicks+: "Re: virtue of salted passwords"
- Next in thread: Donnie: "Re: virtue of salted passwords"
- Reply: Donnie: "Re: virtue of salted passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
