how long should a password be?
bill.royds at royds.net
Sat May 10 18:11:10 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
On 10-May-08, at 04:37 , Peter Pentchev wrote:
> It seems that you are missing another important point about the salt -
> it is generated randomly each and every time something needs to be
> encrypted :) There is no such thing as "the salt value for this
> every time this user wants to hash a password, the system generates
> a random salt value and hashes this particular password, just this
> with this value.
But this begs the question of how to add the salt properly when
verifying the password against stored values.
To be able to authenticate against a password, it needs to be
available, in some form, as required. Normally that form is in a table
of hashed passwords, where the hashed value is a hashed combination of
the actual password and the salt Hash(Password,salt). The
authentication routine has the password, but where is the salt stored?
If it is stored along with the password, then it is available to the
cracker who has the hash table, which is necessary for brute force
cracking so adds no more security. It can't be generated each time
because it has to be the same as used in creation of the hash table.
So storage of the salt becomes its own security problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (Darwin)
Comment: Bill Royds
-----END PGP SIGNATURE-----
More information about the Gnupg-users