|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Values to use for a salt?
From: Ton Geurts (geurts
vanveen.nl)
Date: Wed Dec 17 2003 - 05:00:52 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> My understanding is that salts are used to help deter dictionary attacks
> where the attacker has created a pre-hashed list of passwords and
> comparing them against the actual hashed passwords. Using salts means the
> attacker must compute all possible values of the password in the
> dictionary plus by the possible salts, which makes it computationally
> unfeasable.
>
> Also, how much less secure would it be to use a user ID as the salt
> instead of a random salt that then has to be stored? I've been thinking
> about these, but feel I am missing important ideas.
>
I don't know if my approach is a good one (probably not; I am no expert) but
I always store my UID, password in a database with a timestamp.
My password hash is md5(timestamp & md5(password)). That way every hash has
a unique salt that changes with every password change. It makes precomputed
dictionaries virtually useless. Unless you have direct database access.
Ton Geurts
geurts <shift+2> vanveen <.> nl
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]