WebApp Sec mailing list archives
RE: Salt Storage - web.config or database?
From: "James Pujals" <james.pujals () sterlingpayment com>
Date: Wed, 7 Jun 2006 09:48:20 -0400
steve.barnet () icecube wisc edu wrote:
This is not necessary, and may well be undesirable. This does very little to improve security and creates more complexity and more failure modes. Salting does nothing more than ensure that identical passwords with different salts hash to different values. This solves a few very narrow attacks: 1) Precomputed dictionary attacks. If an attacker wants to precompute a list of password hashes for later comparison with stolen hashes, they must now compute the hashes for the number of words * number of hash values instead of a single hash for each password. 2) Identical passwords hash to different values. If you break a particular password hash, you cannot do a trivial comparison with hashes using a different salt to find other usernames which use the same password. 3) Same password used on different systems. This is essentially a special case of the # 2. Salting does very little to mitigate an attack on a single password hash.
I'm confused. Are you suggesting to not salt the passwords at all prior to hashing? -dZ. ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- Salt Storage - web.config or database? cynthia . peluso (Jun 02)
- Re: Salt Storage - web.config or database? Dean H. Saxe (Jun 02)
- RE: Salt Storage - web.config or database? Wall, Kevin (Jun 03)
- Re: Salt Storage - web.config or database? Adam Tuliper (Jun 03)
- RE: Salt Storage - web.config or database? Burke, Charles (Jun 04)
- Re: Salt Storage - web.config or database? Steve Barnet (Jun 07)
- RE: Salt Storage - web.config or database? James Pujals (Jun 07)
- Re: Salt Storage - web.config or database? Steve Barnet (Jun 07)
- RE: Salt Storage - web.config or database? James Pujals (Jun 07)
- <Possible follow-ups>
- RE: Salt Storage - web.config or database? Martin O'Neal (Jun 04)