|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alan Rouse (ARouse_at_n2bb.com)
Date: Fri Jul 12 2002 - 09:30:35 CDT
Scott Courtney wrote:
> What I propose, with regard to password hashing, is something like
this:
>
> Let string1 = login . "\n" . password . "\n" . iso_timestamp_string
>
> (example: "myaccount\nV3rY53cr37\n20020712094952")
>
> Let hash = md5sum(string1)
> Store login . "\n" . iso_timestamp_string . "\n" hash in the
equivalent
> of the shadow file.
> (example:
"myaccount\n20020712094952\na66c43e395f555447aad298a538f5e38")
You'd be better off using a random function to generate the salt, rather
than using a timestamp. Assuming your computer's clock is set somewhere
close to true time (or that the delta can be learned), if I know when
you changed your password I could use this information to accelerate my
attack by making informed guesses about the salt value.
Of course if your random function is seeded with the timestamp then the
two are equivalent. Depending on your platform, if you use the unix
/dev/random, or the java SecureRandom class you should be in great
shape.
-- To unsubscribe, e-mail: suse-security-unsubscribesuse.com For additional commands, e-mail: suse-security-help
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]