[Esapi-user] Using account name as salt

Jim Manico jim.manico at owasp.org
Fri May 6 16:09:17 EDT 2011


And no, this is not sensible at all to use the account name for a
security library. I'll track this as a bug, which it is.

My short list on password storage:

1) Use a modern hash algorithm
2) Iterate 1000X or more depending on the year of implementation*
3) Use a strong random salt - 50+ characters**
4) Isolate the salt - store it separately from the password hash in some way

The default implementation of ESAPI contains the modern hash, the
iteration but not the salt isolation or strong salt. This could be added
with a forked or private implementation.

- Jim

* 1000 iterations was the year 2000 recommendation. This was meant to
double every few years since the point of iteration is just to slow down
the reverse engineering of this mechanism. If you can afford the CPU
time, make this iteration count as large as feasibly possible.

** I'm not sure if 50 precise enough of a recommendation for salt
length, but its in the right ballpark.

> In FileBasedAuthenticator you use the accountName as salt for the
> user's password. Is this a sensible thing to do in a production
> environment?
> 
> I've always thought the salt should be something unique to the user and private?
> 
> I'm using 2.0 rc10 from maven so perhaps this has changed in never rcs
> after the NSA review.
> 
> Thanks for any help
> 
> Luke
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user



More information about the Esapi-user mailing list