|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Values to use for a salt?
From: Craig Minton (CraigSecurity
blazemail.com)
Date: Mon Dec 15 2003 - 13:32:12 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
My understanding is that salts are used to help deter dictionary attacks where the attacker has created a pre-hashed list of passwords and comparing them against the actual hashed passwords. Using salts means the attacker must compute all possible values of the password in the dictionary plus by the possible salts, which makes it computationally unfeasable.
Someone suggested recently of using the password as the salt. I have never seen this discussed before, and would like to get opinions of it. What would be wrong with this, especially if it were altered in some way before being used, such as using a simple replacement table to change letters to special characters? This way, the salt would not have to be stored because it would be a derivative of the password. How would this differ from the traditional approach of generating a random salt and storing with the hashed password?
Also, how much less secure would it be to use a user ID as the salt instead of a random salt that then has to be stored? I've been thinking about these, but feel I am missing important ideas.
Thank you for any thoughts you can give.
-Craig
_____________________________________________________________
Fight the power! BlazeMail.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]