Initially I suggested 5 as min
Jacques
From: "Paul Foxworthy" <p...@cohsoft.com.au>
Hi Jacques and Adam,
Yes, I understand why a salt is a good idea. As well as making a
dictionary attack much harder, a salt ensures that if two users happen
to choose the same password, they will have different encrypted
passwords.
Since the salt should be unique for each user, shouldn't the length be
sufficient to ensure that's so? As it stands, a random length between
1 and 15 means about one-fifteenth of our users will have one
character salts. The salt characters are drawn from a list of 64, so
if we have more than 960 (15 * 64) users, probably two of them will
have the same salt character. Or to put it another way, if there's
more than 480 users, there's a better than even chance two of them
have the same salt character. So we reduce the chance of discovering
that two users have the same password by a factor of hundreds. Make
the salt always four characters, and the chances are one in 16
million.
I don't see any point in a shorter salt than that.
There's a discussion on the issues at
http://stackoverflow.com/questions/184112/what-is-the-optimal-length-for-user-password-salt
Cheers
Paul Foxworthy
On 27 April 2012 16:46, Jacques Le Roux [via OFBiz]
<ml-node+s135035n4591890...@n4.nabble.com> wrote:
If you believe 1 is enough then +1 for me
Actually as it's only salt, I think it's ok
Jacques
From: "Adam Heath" <[hidden email]>
On 04/24/2012 07:49 AM, Paul Foxworthy wrote:
Hi Adam,
Maybe I'm missing something, but if the salt is a random length and might
be
0 characters, doesn't that mean that some passwords, randomly, won't get
the
benefit of a salt? Why not make the salt a fixed length, or a random
length
with a reasonable minimum?
The key is that if you continously set the *same* password value, you
will get *different* crypted output. With no salt, the same output
will happen. Maybe I could have a minimum length of 1. The main
thing, however, is to make it more complex for crackers to use a
dictionary attack.
As for having a fixed or random length, it allows for having a few
more bits of randomness as part of the salt.
________________________________
If you reply to this email, your message will be added to the discussion
below:
http://ofbiz.135035.n4.nabble.com/recent-HashCrypt-changes-and-using-salt-based-password-hashing-tp4571241p4591890.html
To unsubscribe from recent HashCrypt changes, and using salt-based password
hashing, click here.
NAML
--
Coherent Software Australia Pty Ltd
PO Box 2773
Cheltenham Vic 3192
Phone: (03) 9585 6788
Fax: (03) 9585 1086
Web: http://www.cohsoft.com.au/
Email: sa...@cohsoft.com.au
Bonsai ERP, the all-inclusive ERP system
http://www.bonsaierp.com.au/
