shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <l...@toolazydogs.com>
Subject Re: Salted hashing of passwords - where to store the salt?
Date Sat, 30 Oct 2010 15:32:33 GMT

On Oct 30, 2010, at 1:05 AM, Peter Ledbrook wrote:

> Hi,
> 
> I came across the changes to the credential matching and wondered
> about the recommendations for generating the salt for passwords. The
> Javadoc suggests storing the salt along with the credentials, but
> doesn't this defeat the purpose somewhat? If an attacker has gained
> access to the hashed passwords, wouldn't they also have access to the
> salts? Hence they can still use dictionary attacks. Am I missing
> something here?

If the salt is random per password then one cannot use a dictionary attack.


Regards,
Alan

Mime
View raw message