Back to list
choice of salt
Oct 31 2007 01:08PM
SecFocus subscriber Dave Aronson (secfocus2dave davearonson com)
Sébastien Barbieri [mailto:sebastien.barbieri (at) gmail (dot) com [email concealed]] writes:
> The "salt" used in the crypt is the 2 first letter of the crypted pass:
I'm no crypo-guru, but that doesn't seem worthwhile to me. It just makes a minor alteration in the algorithm, rather than adding any further data-based entropy. Tables can still be generated and compared with just a tiny bit more effort than if it were unsalted, as opposed to the complete table-ruining of adding more data.
Given that this technique is used in circumstances where there is a username available for additional data, wouldn't it make more sense to use that as the salt? An attacker would have to generate a separate table for each user (though some could be reused across systems, where the same usernames exist). Isn't that the purpose of salt? Or am I completely misgrokking the concept?
"Specialization is for insects." -Heinlein
[ reply ]
Re: choice of salt
Oct 31 2007 01:25PM
Jamie Riden (jamie riden gmail com)
Copyright 2010, SecurityFocus