[Esapi-user] Using account name as salt

Luke Biddell luke.biddell at gmail.com
Fri May 6 10:26:25 EDT 2011


Thanks Marcelo,

For each user I generate a private time based UUID and I was thinking
of using that. But presumably if one knows that it's a UUID then it's
in some form predictable?

Luke

On 6 May 2011 15:23, Marcelo Carvalho <marcelojunior at superig.com.br> wrote:
> Using fixed words for salting purposes never made sense to me...
> Like in Kerberos, where the realm is used to this matter...
> I´ll say an approved RNGs would do the trick ...
>
>
> Marcelo Carvalho, CISSP, CISA
> marcelo.carvalho at ieee.org
>
>
> Em 06/05/2011 11:05, Luke Biddell escreveu:
>> In FileBasedAuthenticator you use the accountName as salt for the
>> user's password. Is this a sensible thing to do in a production
>> environment?
>>
>> I've always thought the salt should be something unique to the user and private?
>>
>> I'm using 2.0 rc10 from maven so perhaps this has changed in never rcs
>> after the NSA review.
>>
>> Thanks for any help
>>
>> Luke
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>


More information about the Esapi-user mailing list