[Esapi-user] Using account name as salt

Chris Schmidt chris.schmidt at owasp.org
Fri May 6 10:35:01 EDT 2011


The best option is to use a crytograpically strong PRNG - you will need to store the users salt (somewhere other than the same place you store the username and hashed pw) and retrieve it for authentication

Sent from my iPwn

On May 6, 2011, at 8:26 AM, Luke Biddell <luke.biddell at gmail.com> wrote:

> Thanks Marcelo,
> 
> For each user I generate a private time based UUID and I was thinking
> of using that. But presumably if one knows that it's a UUID then it's
> in some form predictable?
> 
> Luke
> 
> On 6 May 2011 15:23, Marcelo Carvalho <marcelojunior at superig.com.br> wrote:
>> Using fixed words for salting purposes never made sense to me...
>> Like in Kerberos, where the realm is used to this matter...
>> I´ll say an approved RNGs would do the trick ...
>> 
>> 
>> Marcelo Carvalho, CISSP, CISA
>> marcelo.carvalho at ieee.org
>> 
>> 
>> Em 06/05/2011 11:05, Luke Biddell escreveu:
>>> In FileBasedAuthenticator you use the accountName as salt for the
>>> user's password. Is this a sensible thing to do in a production
>>> environment?
>>> 
>>> I've always thought the salt should be something unique to the user and private?
>>> 
>>> I'm using 2.0 rc10 from maven so perhaps this has changed in never rcs
>>> after the NSA review.
>>> 
>>> Thanks for any help
>>> 
>>> Luke
>>> _______________________________________________
>>> Esapi-user mailing list
>>> Esapi-user at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-user
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list