Re: choice of salt Oct 31 2007 02:18PM
SecFocus subscriber Dave Aronson (secfocus2dave davearonson com)
Jamie Riden [mailto:jamie.riden (at) gmail (dot) com [email concealed]] writes:

> If your randomly chosen salt is two characters chosen from [0-9A-Za-z]
> then your precomputed tables would have to be 62*62 times the size
> compared with using no salt.

Right, but IIUC what's going on, the salt in this case is not random. In pseudocode, my understanding of what was described is:

newPwd = crypt (oldPwd, firstTwoChars (crypt (oldPwd, "")));

This uses a salt that's not random at all, so tables take only the original amount of size, so I'm suggesting instead:

newPwd = crypt (oldPwd, username);

though, since crypt() apparently only uses two chars for salt, it's effectively:

newPwd = crypt (oldPwd, firstTwoChars (username));

Or am I misunderstanding what was going on in the first place?


Dave Aronson
"Specialization is for insects." -Heinlein

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus