shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kalle Korhonen <kalle.o.korho...@gmail.com>
Subject Re: Salted hashing of passwords - where to store the salt?
Date Sat, 30 Oct 2010 14:46:33 GMT
It's a useful thought exercise but go ahead and finish that thought.
Where would you put the salt if not with the password? If you can find
a better, more secure storage location for the hash, why don't you put
the passwords there? Per-password-salt is the best protection against
dictionary attacks and storing hash with the password is a widely
accepted and used practice. You can of course store it somewhere else
but it won't buy you any more security.

Kalle


On Sat, Oct 30, 2010 at 1:05 AM, Peter Ledbrook <peter@cacoethes.co.uk> wrote:
> Hi,
>
> I came across the changes to the credential matching and wondered
> about the recommendations for generating the salt for passwords. The
> Javadoc suggests storing the salt along with the credentials, but
> doesn't this defeat the purpose somewhat? If an attacker has gained
> access to the hashed passwords, wouldn't they also have access to the
> salts? Hence they can still use dictionary attacks. Am I missing
> something here?
>
> Thanks,
>
> Peter
>
> --
> Peter Ledbrook
> Grails Advocate
> SpringSource - A Division of VMware
>

Mime
View raw message