On Sat, Apr 19, 2008 at 6:24 PM, Isaak Malik <[EMAIL PROTECTED]> wrote: > 'What exact attack scenario is this "static [salt] which is located > outside of your web root" supposed to protect against?' > > This will increase the difficulty of cracking your hashes with brute force > when the hacker has access to your database, by only using the salt stored > in the database it will be the same for the hacker as if no salt was used to > hash the password.
I don't even understand this statement so it's hard to comment. But I have a feeling that you don't understand how the hashing methods we're talking about actually work. > "Have you read it? You have to calculate an individual dictionary for > every password." > > Yes I did read it, even if a password has been cracked it won't be much > trouble for the hacker to crack a duplicate even if it has another salt, > unless we're talking about a dictionary containing millions of words. Ahh, yes, you definitely don't understand how these hashing methods work. A password salt is a randomly generated value that is computed anew every time someone sets their password. Even if the same user sets the same password twice the salt and thus the hash will be totally different every time. To crack one single password the attacker would have to compute a dictionary of passwords with that specific salt just to crack that one password. That's not likely. An additional "static salt" does not help unless the attacker has the password database but not the "static salt" which is also not very likely. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/
