Re: Where to store your salt
From: Derek Slager (derek_at_activate.net)
Date: 01/26/04
- Next message: Hernan de Lahitte: "Re: .NET HttpModule & NTLM Integrated Authentication"
- Previous message: Steve: "Network Credentials not passing in Authentication mode"
- In reply to: Edgar Sánchez: "Where to store your salt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Jan 2004 11:00:20 -0800
On Fri, 23 Jan 2004 22:41:26 -0500, Edgar Sánchez wrote:
> Reviewing the code in "Building Secure Microsoft ASP.NET Applications" for
> hashing passwords with salt, I see that the salt is stored in the same table
> as the hashed password. The idea of using salt is to make a dictionary
> attack harder but if we store the salt close to the hashed password then the
> attacker can attach the salt to the dictionary passwords and go on with
> his/her attack. For what I understood of the salting technique, the salt
> should be saved somewhere else, is this right or I am missing something?
Salt values are primarily used to prevent dictionary attacks using
pre-computed hashes. It's better to store it separately, but unless they
have already computed the hashes for their dictionary using the exact same
salt value they still have work to do.
-Derek
- Next message: Hernan de Lahitte: "Re: .NET HttpModule & NTLM Integrated Authentication"
- Previous message: Steve: "Network Credentials not passing in Authentication mode"
- In reply to: Edgar Sánchez: "Where to store your salt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
