RE: Salt Storage - web.config or database?

["James Pujals" <james.pujals () sterlingpayment com>]

steve.barnet () icecube wisc edu wrote:
> This is not necessary, and may well be undesirable. This does
> very little to improve security and creates more complexity
> and more failure modes.
>
> Salting does nothing more than ensure that identical passwords
> with different salts hash to different values. This solves a
> few very narrow attacks:
>
> 1) Precomputed dictionary attacks. If an attacker wants to
>     precompute a list of password hashes for later comparison with
>     stolen hashes, they must now compute the hashes for the
>     number of words * number of hash values instead of a single
>     hash for each password.
> 2) Identical passwords hash to different values. If you break a
>     particular password hash, you cannot do a trivial comparison
>     with hashes using a different salt to find other usernames
>     which use the same password.
> 3) Same password used on different systems. This is essentially
>     a special case of the # 2.
>
> Salting does very little to mitigate an attack on a single
> password hash.

I'm confused.  Are you suggesting to not salt the passwords at all prior to hashing?

    -dZ.


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------