On 05/30/2012 03:25 PM, Maarten Billemont wrote:
I'm currently considering asking the user for their full name and using that as a salt in the scrypt operation. Full names are often lengthy and there's a good deal of them. Do you recon this might introduce enough entropy
In the case of salts, we can think of entropy as the amount of information that's unpredictable to an attacker. A person's name is only unpredictable to an attacker when he doesn't yet know whom he's attacking.
So in the case of a database of 16 M users passwords being hacked, it might be useful in that the attacker will have to go after user accounts one at a time rather than allowing a precomputation project to be useful for attacking anyone. But it's reasonable to expect that the user's full name will be in the same database table, so it's not a secret after the data breach.
In the case of an attacker targeting a specific user, it does not seem particularly useful.
or should I also be asking for the user's birth date?
Might add a little. 8 or 9 bits or so for the day, maybe another 5 or 6 bits for the year. Probably only a significant improvement for a system on the borderline of failure.
I'm just thinking that this is good information that will make for a wide enough range of different salts that it will hopefully make rainbow tables too expensive while still avoiding the problem that a user cannot remember any random salt of such entropy.
I would suggest not trying to gain meaningful security from a "stateless salt". Focus instead on making the best possible stateful password manager app or on usability improvements that allow people to generate and remember stronger passphrases.
Don't assume that the best you can come up with is actually secure enough to represent a real improvment. I'm sorry I know this is dismal but such is the state of password based systems. Computers have been getting faster at attacking passwords for decades now whereas humans are not getting any better at remembering them.
- Marsh _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
