[Esapi-user] Using account name as salt

Luke Biddell luke.biddell at gmail.com
Fri May 6 10:44:23 EDT 2011


Thanks Chris.

I've seen before now (think it was Jasypt) systems which append the
PRNG salt bytes to the hash bytes then base64s them. Upon testing
password hashes, the existing password is then split again and the
salt reconstituted for use in hashing the input password. Guess it
relies on obscurity, you'd have to read the source code to determine
how it was done. But I guess all systems are vulnerable to that,
storing the salt elsewhere is only secure as long as people don't know
where the salt is.

Where do you guys generally see people storing the salt? External file
system. Keystore?

Luke

On 6 May 2011 15:35, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> The best option is to use a crytograpically strong PRNG - you will need to store the users salt (somewhere other than the same place you store the username and hashed pw) and retrieve it for authentication
>
> Sent from my iPwn
>
> On May 6, 2011, at 8:26 AM, Luke Biddell <luke.biddell at gmail.com> wrote:
>
>> Thanks Marcelo,
>>
>> For each user I generate a private time based UUID and I was thinking
>> of using that. But presumably if one knows that it's a UUID then it's
>> in some form predictable?
>>
>> Luke
>>
>> On 6 May 2011 15:23, Marcelo Carvalho <marcelojunior at superig.com.br> wrote:
>>> Using fixed words for salting purposes never made sense to me...
>>> Like in Kerberos, where the realm is used to this matter...
>>> I´ll say an approved RNGs would do the trick ...
>>>
>>>
>>> Marcelo Carvalho, CISSP, CISA
>>> marcelo.carvalho at ieee.org
>>>
>>>
>>> Em 06/05/2011 11:05, Luke Biddell escreveu:
>>>> In FileBasedAuthenticator you use the accountName as salt for the
>>>> user's password. Is this a sensible thing to do in a production
>>>> environment?
>>>>
>>>> I've always thought the salt should be something unique to the user and private?
>>>>
>>>> I'm using 2.0 rc10 from maven so perhaps this has changed in never rcs
>>>> after the NSA review.
>>>>
>>>> Thanks for any help
>>>>
>>>> Luke
>>>> _______________________________________________
>>>> Esapi-user mailing list
>>>> Esapi-user at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>> _______________________________________________
>>> Esapi-user mailing list
>>> Esapi-user at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>>
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>


More information about the Esapi-user mailing list