On Oct 30, 2010, at 1:05 AM, Peter Ledbrook wrote: > Hi, > > I came across the changes to the credential matching and wondered > about the recommendations for generating the salt for passwords. The > Javadoc suggests storing the salt along with the credentials, but > doesn't this defeat the purpose somewhat? If an attacker has gained > access to the hashed passwords, wouldn't they also have access to the > salts? Hence they can still use dictionary attacks. Am I missing > something here?
If the salt is random per password then one cannot use a dictionary attack. Regards, Alan
