Re: Salt size

From: Unruh <unruh-spam@xxxxxxxxxxxxxx>
Date: Wed, 16 Jul 2008 00:59:43 GMT

Kless <jonas.esp@xxxxxxxxxxxxxx> writes:

To get a hashed password, using SHA-256 algorithm.

Again for what? ARe you designing a system? Is this a system in use?

The purpose of the salt is to prevent the attacker from launching a
predetermined dictionary attack. Thus they could precompute the SHA has of
a huge dictionary and compare to the hashed password. If you have salted
it, they would need to precalculate n times as large a database where n is
the number of salts. If y ou are designing the thing, then it is up to you
to decide what value of n is big enough.
128 bits means that n is 2^128=10^40 .

On Jul 16, 12:06=A0am, Unruh <unruh-s...@xxxxxxxxxxxxxx> wrote:

Kless <jonas....@xxxxxxxxxxxxxx> writes:

Which size is recommended for a salt?

Ffor what? The answer could be anywhere from 0 bytes to 1000 bytes.

The 'bcrypt' hash algorithm (created by OpenBSD) uses a size of 128
bits (16 bytes).

Follow-Ups:
- Re: Salt size
  - From: Kless

References:
- Salt size
  - From: Kless
- Re: Salt size
  - From: Unruh
- Re: Salt size
  - From: Kless

Prev by Date: Re: Salt size
Next by Date: Re: Salt size
Previous by thread: Re: Salt size
Next by thread: Re: Salt size
Index(es):
- Date
- Thread

Relevant Pages

Re: Importance of salt
... generate a key which is then used for encryption. ... The salt is used on ... The attacker really couldn't use his ... As for the iteration count... ...
(microsoft.public.dotnet.security)
Re: Importance of salt
... That is the problem with using one-way hash ... The salt is used on ... The attacker really couldn't use his ... > even knows the correct iteration count used. ...
(microsoft.public.dotnet.security)
Re: password salting
... For attacker, I assume pre-computed hash tables are just not that helpful ... You can only add so many iterations to ... |> If you have the salt and the hash, the salt does not make attacking ...
(microsoft.public.dotnet.security)
Re: Iterative Password Hashing vs Strong Salt
... my salts are not known by the attacker. ... I cannot use the word "salt". ... The purpose of hashing is to help in situations where the attacker has ... You are combining secret client data and secret server data to form an encryption key which is then used to encrypt and store some data on the server. ...
(sci.crypt)
RE: Password encryption
... If the salt is a randomly generated 256 bit value then stored statically in ... the total number of possible keys an attacker needs to try (with ... Making the data secure is not easy and it is actually a chain to secure ... Microsoft Online Community Support ...
(microsoft.public.dotnet.framework)