[Esapi-user] Using account name as salt

Kevin W. Wall kevin.w.wall at gmail.com
Fri May 6 11:37:37 EDT 2011


No, it is not sensible to do this in production. Salts  should be N-bits of
*random* bits. This is only marginally better than no salt at all IMO. Salts
are generally stored w/ the password hash itself. OTOH, what is even LESS
sensible is using FileBasedAuthenticator in a production env at all. It
clearly is a toy implementation meant for illustrative purposes & not
something considered production-ready. This has be mentioned several times
on this list. (Maybe we need to mention this in the javadoc.)

-kevin
--
Kevin W. Wall
Sent from DroidX; please excuse typos.
On May 6, 2011 10:06 AM, "Luke Biddell" <luke.biddell at gmail.com> wrote:
> In FileBasedAuthenticator you use the accountName as salt for the
> user's password. Is this a sensible thing to do in a production
> environment?
>
> I've always thought the salt should be something unique to the user and
private?
>
> I'm using 2.0 rc10 from maven so perhaps this has changed in never rcs
> after the NSA review.
>
> Thanks for any help
>
> Luke
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110506/45ef3090/attachment.html 


More information about the Esapi-user mailing list