[Esapi-user] Using account name as salt

Marcelo Carvalho marcelojunior at superig.com.br
Fri May 6 10:23:33 EDT 2011


Using fixed words for salting purposes never made sense to me...
Like in Kerberos, where the realm is used to this matter...
I´ll say an approved RNGs would do the trick ...


Marcelo Carvalho, CISSP, CISA
marcelo.carvalho at ieee.org


Em 06/05/2011 11:05, Luke Biddell escreveu:
> In FileBasedAuthenticator you use the accountName as salt for the
> user's password. Is this a sensible thing to do in a production
> environment?
>
> I've always thought the salt should be something unique to the user and private?
>
> I'm using 2.0 rc10 from maven so perhaps this has changed in never rcs
> after the NSA review.
>
> Thanks for any help
>
> Luke
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list