Where to store your salt
From: Edgar Sánchez (edgar.sanchez_at_logicstudio.net)
Date: 01/24/04
- Next message: Hervey Wilson [MSFT]: "Re: Reversed issuer name returned by X509Certificate.GetIssuerName()"
- Previous message: Rob Mayo: ".NET HttpModule & NTLM Integrated Authentication"
- Next in thread: Pieter Philippaerts: "Re: Where to store your salt"
- Reply: Pieter Philippaerts: "Re: Where to store your salt"
- Reply: Michael Giagnocavo [MVP]: "Re: Where to store your salt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 Jan 2004 22:41:03 -0500
Reviewing the code in "Building Secure Microsoft ASP.NET Applications" for
hashing passwords with salt, I see that the salt is stored in the same table
as the hashed password. The idea of using salt is to make a dictionary
attack harder but if we store the salt close to the hashed password then the
attacker can attach the salt to the dictionary passwords and go on with
his/her attack. For what I understood of the salting technique, the salt
should be saved somewhere else, is this right or I am missing something?
- Next message: Hervey Wilson [MSFT]: "Re: Reversed issuer name returned by X509Certificate.GetIssuerName()"
- Previous message: Rob Mayo: ".NET HttpModule & NTLM Integrated Authentication"
- Next in thread: Pieter Philippaerts: "Re: Where to store your salt"
- Reply: Pieter Philippaerts: "Re: Where to store your salt"
- Reply: Michael Giagnocavo [MVP]: "Re: Where to store your salt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
