What I stated in my email was a simple way to provide some advantage of a true salt along with some advantage of simple-to-maintain code. Nothing is "completely destroyed"; the net effect of what I mentioned likely cuts out 90% of the bad guys out there because I believe 90% of the script kiddies out there can't modify the hack-scripts they run.
Since adding real entropy to a salt entails some real work (where do the entropy bytes come from, where are the salt values kept, etc), I was suggesting a way to get by some of that. I don't recall stating anywhere in my message that "all you need to do is this, my way is perfect". Congratulations. You have misunderstood and twisted my words. Now it's your turn to post your "understanding of the maths involved" and show me how to work with salt. If I wanted to eat flame, I would have stayed with Perl back in '98. If anyone else has read this far, there is a very good article that discusses randomness/entropy in one of the last 3 issues of WDJ (sorry but I forget which one). >Congratulations. You have propably managed to completly destroy the advantage of salt in >your usage. Using a derived salt value means, at least to my understanding of the maths >involved, that you have just KILLED the effect. > >Regards > >Thomas Tomiczek >THONA Consulting Ltd. >(Microsoft MVP C#/.NET) > > > >> -----Original Message----- >> From: Craft, Steve [mailto:[EMAIL PROTECTED]] >> Sent: Wednesday, January 08, 2003 7:08 PM >> To: [EMAIL PROTECTED] >> Subject: Re: [ADVANCED-DOTNET] Salt in PasswordDeriveBytes >>[snip] You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
