On Sat, Apr 19, 2008 at 3:07 PM, Joó Ádám <[EMAIL PROTECTED]> wrote: > 'That website mentions storing these hashes in the database just to > > make every password hash look different for every user, this only > doesn't increase protection from brute force attacks' > > Have you read it? You have to calculate an individual dictionary for > every password. > > 'What exact attack scenario is this "static [salt] which is located > outside of your web root" supposed to protect against?' > > MySQL compromised, Apache isn't.
That attack scenario doesn't make sense. 1) It's more likely that Apache or scripts running within it will be compromised over MySQL. MySQL usually isn't even exposed to the outside. 2) Without the additional "static" salt the attacker would have to build a custom dictionary for each password. Their success rate would be so low given the amount of resources required, it's not worth the cost of using a "static salt". It's like putting bumper guards on a bullet-proof car. 3) Considering that passwords are probably submitted to the server in clear text, your security efforts would be better served elsewhere. If you care that much about security, you should be using a different system entirely (e.g. multi-factor secure key style system). Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/
