[Esapi-user] Using account name as salt

Luke Biddell luke.biddell at gmail.com
Fri May 6 11:57:21 EDT 2011


Thanks Kevin,

I shall do as you suggest.

I'm not using FileBasedAuthenticator in prod, just using it as an
example with a view to writing my own. And that line of code stuck out
like a sore thumb amongst others, hence this thread.

Is there a guide to writing your own authenticator which I've missed
in the docs?

Is this not something that's missing from ESAPI? As a security novice,
what I'd ideally get is an example which at the time of writing
represents the very best practice for someone to base their own code
upon. There is real value in that, especially for me as a beginner.

Thanks for all the help

Luke


On 6 May 2011 16:37, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> No, it is not sensible to do this in production. Salts  should be N-bits of
> *random* bits. This is only marginally better than no salt at all IMO. Salts
> are generally stored w/ the password hash itself. OTOH, what is even LESS
> sensible is using FileBasedAuthenticator in a production env at all. It
> clearly is a toy implementation meant for illustrative purposes & not
> something considered production-ready. This has be mentioned several times
> on this list. (Maybe we need to mention this in the javadoc.)
>
> -kevin
> --
> Kevin W. Wall
> Sent from DroidX; please excuse typos.
>
> On May 6, 2011 10:06 AM, "Luke Biddell" <luke.biddell at gmail.com> wrote:
>> In FileBasedAuthenticator you use the accountName as salt for the
>> user's password. Is this a sensible thing to do in a production
>> environment?
>>
>> I've always thought the salt should be something unique to the user and
>> private?
>>
>> I'm using 2.0 rc10 from maven so perhaps this has changed in never rcs
>> after the NSA review.
>>
>> Thanks for any help
>>
>> Luke
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>


More information about the Esapi-user mailing list