Security works best in layers. In general my experience with salting is that it just makes it harder for the "hacker". For instance, if you are using encryption with multiple iterations and salt; it just makes more pieces of information a hacker would have to get a hold of successfully decrypt it. Of course, hashes are a one-way street, but rainbow tables get much more difficult when you are salting a doing multiple hashes.
Also, if your users might not be accessing your site over SSL. You can pass a salted encrypted version of the password over the wire along with the salt used. (CF Administrator does this). It's obfuscation at best, bit now our packet sniffing hacker has to have basic knowledge of your login screen (what algorithm to use etc) and be able to intercept multiple pieces of data from the request to put the puzzle back together. ~Brad ----- Original Message ----- From: <[email protected]> To: "cf-talk" <[email protected]> Sent: Wednesday, January 14, 2009 8:41 PM Subject: Re: Beefing up authentication > does salting a hashed password really make a difference? Is the goal such > that if a hacker gets to the database they won't have the salt used to > hash the pw making it more difficult to crack the pw? Just curious... > > Thanks, > mike > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317972 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
