OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Values to use for a salt?

From: Marian Ion (marian.ione-licitatie.ro)
Date: Mon Dec 22 2003 - 03:43:37 CST

Hello all,

    Yes, of course, you (and all others) are right. Letting users choosing
their passwords is weak security (for authentication, encryption,
certification, etc). Maybe I was wrong, thinking encryption at a higher
level than basic user, thinking at a more responsible user.
    Anyway, I think, at the curent level of technology, considering a "safe"
algorithm with a "proper" key, salt is not necessary, an only introduces
delays.
    I prefer using "strange" passwords, because I'm not aware of good tools
for cryptanalyzing a key, even of 128 bits using Extended ASCII or Unicode.
It takes more than a life to crack a password using basic ASCII characters,
so ...
    Of course, it will come a time when Unicode and salt (or salts) and new
better algorithms will be used, but I may not live until then.

And for regular users, probably good public "good" keys (which means "not
choose by themselves") are better, because these algorithms are slower, and
not fitted for cryptanalyzing (at least until the concept of "equivalent
algorithms" comes onto the scene).

Regards,
Marian

----- Original Message -----
From: "Michael Wojcik" <Michael.Wojcikmicrofocus.com>
To: <secprogsecurityfocus.com>
Cc: "Marian Ion" <marian.ione-licitatie.ro>
Sent: Wednesday, December 17, 2003 7:58 PM
Subject: RE: Values to use for a salt?

> From: Marian Ion [mailto:marian.ione-licitatie.ro]
> Sent: Wednesday, December 17, 2003 4:01 AM

> Don't you think using extendedASCII set will dramatically increase the
> performance of any algorithm currently in use? Imagine what a
> pass like "|¤W-|[V.|1D-|`â-|Ë3-|%-|F0-| " means for a cracker: ...

Enlarging the password alphabet has the same effect as lengthening the
password. The larger the domain of possible passwords, the more space an
attacker has to search. That's a basic characteristic of passwords which
should be familiar to anyone working with password-based authentication.

> Will you still need salt and others?

That depends on your threat model and the strength of the passwords you're
protecting. Even if your system allows strong passwords, users may use weak
ones if they're allowed to do so. If your threat model includes defending
against an attacker who has resources to precompute a dictionary that
includes the weakest passwords permitted by your system, then adding salt
would be a way to address that threat.

--
Michael Wojcik
Principal Software Systems Developer, Micro Focus