[Esapi-user] Using account name as salt
luke.biddell at gmail.com
Fri May 6 10:26:25 EDT 2011
For each user I generate a private time based UUID and I was thinking
of using that. But presumably if one knows that it's a UUID then it's
in some form predictable?
On 6 May 2011 15:23, Marcelo Carvalho <marcelojunior at superig.com.br> wrote:
> Using fixed words for salting purposes never made sense to me...
> Like in Kerberos, where the realm is used to this matter...
> I´ll say an approved RNGs would do the trick ...
> Marcelo Carvalho, CISSP, CISA
> marcelo.carvalho at ieee.org
> Em 06/05/2011 11:05, Luke Biddell escreveu:
>> In FileBasedAuthenticator you use the accountName as salt for the
>> user's password. Is this a sensible thing to do in a production
>> I've always thought the salt should be something unique to the user and private?
>> I'm using 2.0 rc10 from maven so perhaps this has changed in never rcs
>> after the NSA review.
>> Thanks for any help
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
More information about the Esapi-user