[Esapi-user] Using account name as salt

Chris Schmidt chrisisbeef at gmail.com
Fri May 6 12:00:01 EDT 2011

I agree that this needs to be highlighted better. That being said:


1.       Using File-Based Authentication in and of itself is problematic for
web applications. If your application server runs as the user Tomcat, then
the tomcat user needs to have r/w access to your passwd files; if you have a
shellable vulnerability or a path traversal in your web-app then you're

2.       Storing credentials in your database where you store the rest of
your data is also problematic. A SQLi in a completely unrelated part of your
application can cause havoc (just ask the guys from Sony)


Ideally, authentication should be a completely separate process, with
credentials stored and accessed someplace completely isolated from the rest
of the application such as an LDAP Provider.


I plan on releasing a Spring Security/ESAPI Authenticator Adapter
*component* shortly after 2.0GA goes live. It wouldn't be out of the
question to pull the "Spring'ed" portion of code out and replace the RI with
something that is actually useful.


From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
Sent: Friday, May 06, 2011 9:38 AM
To: Luke Biddell
Cc: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] Using account name as salt


No, it is not sensible to do this in production. Salts  should be N-bits of
*random* bits. This is only marginally better than no salt at all IMO. Salts
are generally stored w/ the password hash itself. OTOH, what is even LESS
sensible is using FileBasedAuthenticator in a production env at all. It
clearly is a toy implementation meant for illustrative purposes & not
something considered production-ready. This has be mentioned several times
on this list. (Maybe we need to mention this in the javadoc.)

Kevin W. Wall
Sent from DroidX; please excuse typos.

On May 6, 2011 10:06 AM, "Luke Biddell" <luke.biddell at gmail.com> wrote:
> In FileBasedAuthenticator you use the accountName as salt for the
> user's password. Is this a sensible thing to do in a production
> environment?
> I've always thought the salt should be something unique to the user and
> I'm using 2.0 rc10 from maven so perhaps this has changed in never rcs
> after the NSA review.
> Thanks for any help
> Luke
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110506/6215184e/attachment.html 

More information about the Esapi-user mailing list