> In the case of > a login, this contextual value could be some piece of user information > (other than password).
I advise against using something that would have low varience or is easily known by an outsider. One of the big benefits of a salt is that it prevents an attacker from pre-computing hashes for common passwords. If you have a salt that can be two values, then you force your attacker to pre-compute twice as large a table for the same effectiveness. I suggest using random values for salts. They should be changed each time the password is changed. They should be different for each user. They should be as large enough to where it is unreasonable for an attacker to compute an attack table (8 bytes is common in Unix-land). On an unrelated note, a trick used in BSD to further frustrate an attacker trying to crack a password hash is to run the hash many times on the previous hash output. This slows down brute foce attacks but leaves the user with a reasonably fast login routine. Hope this was helpful. Sam On Tue, Apr 22, 2008 at 11:05 AM, Peter Ritchie <[EMAIL PROTECTED]> wrote: > On Tue, 22 Apr 2008 16:12:06 +0000, Paul Cowan <[EMAIL PROTECTED]> wrote: > >>Hi,The SSL has nothing to do with the password encryption. We just need > to make sure the communication is running over HTTPS.Can I use a salt with > SHA-512? > > Sure, a salt is just extra bytes added to the creation of the hash. This > could be a constant value, or (better) a contextual value. In the case of > a login, this contextual value could be some piece of user information > (other than password). This means that if two users had the same > password, the stored hash would be extremely likely not be the same. > > See http://www.obviex.com/samples/hash.aspx for an example of one way of > hashing with salts. > > =================================== > This list is hosted by DevelopMentor(R) http://www.develop.com > > View archives and manage your subscription(s) at http://discuss.develop.com > -- "For it is a doctrine not of the tongue but of life. It is not apprehended by the understanding and memory alone, as other disciplines are, but it is received only when it possesses the whole soul, and finds a seat and resting place in the inmost affection of the heart." John Calvin, The Institutes, Book III, Chapter VI, Section 4. =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
