|
SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
Retired horse trader.
Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
Ulf Dittmer wrote:You wouldn't use a random salt, you'd use a single fixed salt which you'd need to store somewhere.
Retired horse trader.
Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
Retired horse trader.
Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
James Sabre wrote:You store the random salt and the digest in the database. When a user tries to login you extract his random salt from the database and generate the digest from the salt and the password he has tried to authenticate with. If this digest matches that in the database then the user is probably who he says he is.
SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
Retired horse trader.
Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
Joe Harry wrote:Is the random salt just a random String of a specified length that I specify?
If yes, then how would it minimize the chance of a dictionary attack or a birthday attack against the hash stored passwords? I mean if a hacker gets access to the password table, then he also has access to the random salt and he can append it to the hash and run his dictionary to crack the original password? Am I thinking stupid?
Retired horse trader.
Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
Joe Harry wrote:Is the random salt just a random String of a specified length that I specify? If yes, then how would it minimize the chance of a dictionary attack or a birthday attack against the hash stored passwords? I mean if a hacker gets access to the password table, then he also has access to the random salt and he can append it to the hash and run his dictionary to crack the original password? Am I thinking stupid?
James Sabre wrote:
Joe Harry wrote:Is the random salt just a random String of a specified length that I specify?
Not normally string - just an array of random bytes. Cryptography uses bytes in preference to strings and characters.
If yes, then how would it minimize the chance of a dictionary attack or a birthday attack against the hash stored passwords? I mean if a hacker gets access to the password table, then he also has access to the random salt and he can append it to the hash and run his dictionary to crack the original password? Am I thinking stupid?
Without the random salt the attacker just needs to create one digest(potential password) -> password dictionary from his list of potential passwords. He then just looks up each stored hash in this map. N users 1 dictionary. Very quick.
With the random salt the attacker needs to create a digest(random salt + password) -> password dictionary for each user. N users requires N dictionaries. Much slower.
SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
Joe Harry wrote:
Now let us imagine a scenario wherein the hacker has access to my password table and it is in this password table I have the salt byte and the password stored. Here it is much like a N to 1 case where in the hacker knows the salt and he just need to generate the passwprd from his dictionary. Am I correct?
Retired horse trader.
Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
Joe Harry wrote:I"m trying to protect these pages with as much security as possible.
Joe Harry wrote: I"m trying to protect these pages with as much security as possible.
Retired horse trader.
Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
Joe Harry wrote:Did you mean the j_password, j_username techniques?
I was considering to secure those pages using session state, password authentication and using https.
Retired horse trader.
Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
Whose rules are you playing by? This tiny ad doesn't respect those rules:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
|