---------- Forwarded message ---------- From: Isaak Malik <[EMAIL PROTECTED]> Date: Sun, Apr 20, 2008 at 12:23 AM Subject: Re: [fw-general] adding "salt" to logging in and password security To: Joó Ádám <[EMAIL PROTECTED]>
On Sat, Apr 19, 2008 at 9:07 PM, Joó Ádám <[EMAIL PROTECTED]> wrote: > 'That website mentions storing these hashes in the database just to > make every password hash look different for every user, this only > doesn't increase protection from brute force attacks' > > Have you read it? You have to calculate an individual dictionary for > every password. > > 'What exact attack scenario is this "static [salt] which is located > outside of your web root" supposed to protect against?' > > MySQL compromised, Apache isn't. > > > Regards, > Ádám > 'What exact attack scenario is this "static [salt] which is located outside of your web root" supposed to protect against?' This will increase the difficulty of cracking your hashes with brute force when the hacker has access to your database, by only using the salt stored in the database it will be the same for the hacker as if no salt was used to hash the password. "Have you read it? You have to calculate an individual dictionary for every password." Yes I did read it, even if a password has been cracked it won't be much trouble for the hacker to crack a duplicate even if it has another salt, unless we're talking about a dictionary containing millions of words. -- Isaak Malik Web Developer
