Hi Jacques and Adam, Yes, I understand why a salt is a good idea. As well as making a dictionary attack much harder, a salt ensures that if two users happen to choose the same password, they will have different encrypted passwords.
Since the salt should be unique for each user, shouldn't the length be sufficient to ensure that's so? As it stands, a random length between 1 and 15 means about one-fifteenth of our users will have one character salts. The salt characters are drawn from a list of 64, so if we have more than 960 (15 * 64) users, probably two of them will have the same salt character. Or to put it another way, if there's more than 480 users, there's a better than even chance two of them have the same salt character. So we reduce the chance of discovering that two users have the same password by a factor of hundreds. Make the salt always four characters, and the chances are one in 16 million. I don't see any point in a shorter salt than that. There's a discussion on the issues at http://stackoverflow.com/questions/184112/what-is-the-optimal-length-for-user-password-salt Cheers Paul Foxworthy On 27 April 2012 16:46, Jacques Le Roux [via OFBiz] <ml-node+s135035n4591890...@n4.nabble.com> wrote: > If you believe 1 is enough then +1 for me > Actually as it's only salt, I think it's ok > > Jacques > > From: "Adam Heath" <[hidden email]> > >> On 04/24/2012 07:49 AM, Paul Foxworthy wrote: >>> Hi Adam, >>> >>> Maybe I'm missing something, but if the salt is a random length and might >>> be >>> 0 characters, doesn't that mean that some passwords, randomly, won't get >>> the >>> benefit of a salt? Why not make the salt a fixed length, or a random >>> length >>> with a reasonable minimum? >> >> The key is that if you continously set the *same* password value, you >> will get *different* crypted output. With no salt, the same output >> will happen. Maybe I could have a minimum length of 1. The main >> thing, however, is to make it more complex for crackers to use a >> dictionary attack. >> >> As for having a fixed or random length, it allows for having a few >> more bits of randomness as part of the salt. > > > ________________________________ > If you reply to this email, your message will be added to the discussion > below: > http://ofbiz.135035.n4.nabble.com/recent-HashCrypt-changes-and-using-salt-based-password-hashing-tp4571241p4591890.html > To unsubscribe from recent HashCrypt changes, and using salt-based password > hashing, click here. > NAML -- Coherent Software Australia Pty Ltd PO Box 2773 Cheltenham Vic 3192 Phone: (03) 9585 6788 Fax: (03) 9585 1086 Web: http://www.cohsoft.com.au/ Email: sa...@cohsoft.com.au Bonsai ERP, the all-inclusive ERP system http://www.bonsaierp.com.au/
