> -----Original Message----- > From: Justin D. Scott [mailto:[EMAIL PROTECTED] > Sent: Sunday, May 08, 2005 1:28 PM > To: CF-Talk > Subject: RE: HASH() reverse > > > > So you might find your hash in the rainbow > > > tables, but the original string still might not match. > > > > True, but in most cases where a hash is used, it doesn't > > matter; all you need is some string that results in the > > same hash. That'd be typical for a password system, for > > instance. > > One way to make hashes a LITTLE more secure is to use a "private" string > when doing the initial hash as well as the comparison hash (say, at log > in).
This is generally known as "salt" (as in "salting the password"). In addition to what you said this also makes it more difficult to determine the hash value simply because the parameters aren't as clear. It's easier to search for a hash-match if you know the ranges of the search. For example if your system demands hat password be between 4 and 12 characters that limits the search. Using salt adds a (hopefully unknown) parameter to your ranges. Jim Davis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206016 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
