Penetration Testing mailing list archives
Re: Oracle hash-list?
From: Joshua Wright <jwright () hasborg com>
Date: Mon, 21 Mar 2005 11:19:52 -0500
Steven DeFord wrote:
Isn't using the username as useful as a salt? Better, even, perhaps,since usernames are longer than your typical few-character salt? Salts just slow down precompiled dictionary attacks, yes? I supposeit would be less useful for the few default accounts, but not for all the other users.
While this is true, a conflicting salt for users on two different systems would be a problem, since they will have the same password hash. A compromised username/password combination on one system could extend to another system since there is no unique salt.
-Josh -- -Joshua Wright jwright () hasborg com http://home.jwu.edu/jwright/ pgpkey: http://home.jwu.edu/jwright/pgpkey.htm fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 Today I stumbled across the world's largest hotspot. The SSID is "linksys".
Current thread:
- Oracle hash-list? Jeroen (Mar 15)
- Re: Oracle hash-list? Pieter Danhieux (Mar 16)
- Re: Oracle hash-list? Steven DeFord (Mar 16)
- Re: Oracle hash-list? Joshua Wright (Mar 21)
- Re: Oracle hash-list? Steven DeFord (Mar 16)
- <Possible follow-ups>
- Re: Oracle hash-list? Jeroen (Mar 16)
- Re: Oracle hash-list? Nexus (Mar 21)
- RE: Oracle hash-list? McAllister, Andrew (Mar 21)
- Re: Oracle hash-list? James Hackett (Mar 21)
- Re: Oracle hash-list? Pieter Danhieux (Mar 16)