It's a useful thought exercise but go ahead and finish that thought. Where would you put the salt if not with the password? If you can find a better, more secure storage location for the hash, why don't you put the passwords there? Per-password-salt is the best protection against dictionary attacks and storing hash with the password is a widely accepted and used practice. You can of course store it somewhere else but it won't buy you any more security.
Kalle On Sat, Oct 30, 2010 at 1:05 AM, Peter Ledbrook <[email protected]> wrote: > Hi, > > I came across the changes to the credential matching and wondered > about the recommendations for generating the salt for passwords. The > Javadoc suggests storing the salt along with the credentials, but > doesn't this defeat the purpose somewhat? If an attacker has gained > access to the hashed passwords, wouldn't they also have access to the > salts? Hence they can still use dictionary attacks. Am I missing > something here? > > Thanks, > > Peter > > -- > Peter Ledbrook > Grails Advocate > SpringSource - A Division of VMware >
