Re: Oracle hash-list?

From: Joshua Wright (jwright@hasborg.com)
Date: Mon Mar 21 2005 - 11:19:52 EST


Steven DeFord wrote:
> Isn't using the username as useful as a salt? Better, even, perhaps,
> since usernames are longer than your typical few-character salt?
> Salts just slow down precompiled dictionary attacks, yes? I suppose
> it would be less useful for the few default accounts, but not for all
> the other users.

While this is true, a conflicting salt for users on two different
systems would be a problem, since they will have the same password hash.
  A compromised username/password combination on one system could extend
to another system since there is no unique salt.

-Josh

-- 
-Joshua Wright
jwright@hasborg.com
http://home.jwu.edu/jwright/
pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
Today I stumbled across the world's largest hotspot.  The SSID is "linksys".


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:18 EDT