Having a random salt really does make it much harder to crack the passwords and I would highly recommend that. With a random salt they would have to attack each password individually rather than attacking them all as a group but a fixed salt will eliminate the use of rainbow tables.
However, I am not sure of the purpose of hashing it twice. And by the way, please use sha256 or sha512 to avoid the collisions with sha1. On 07/16/2011 05:25 AM, Jannis Froese wrote: > Hi, > I would strongly suggest to hash them a second time after appending a > salt (the salt could even be fixed). The Server would then check the > password by generating the hash sha1(sha1(password + salt)). > If we don't do add a salt of any way, the passwords are not very secure, > as unsalted Passwords are quickly decrypted using Rainbow Tables (sort > of heavily compressed hash lookup). To see how easy this is look at > http://freerainbowtables.com, where you can download tables for > passwords with up to 9 characters, depending on complexibility of the > password. > > Regards > > > On Sat, 16 Jul 2011 11:01:39 +0200, Stéphane Magnenat > <[email protected]> wrote: >> Hello, >> >>> Stephane do you have any idea how to handle this correctly? >> >> The correct way would be to see where yog checks the passwords and to >> add a hash there. We can then apply the same hash function to the >> password data. >> >> I've been looking in YOG's source code, the passwords seem to be >> already hashed using SHA1, see src/YOGServerPasswordRegistry.cpp:113 >> >> Therefore, it is probably safe to transmit password data. What do you >> think? >> >> Stéph >> >> -- >> Dr Stéphane Magnenat >> http://stephane.magnenat.net >> >> _______________________________________________ >> glob2-devel mailing list >> [email protected] >> https://lists.nongnu.org/mailman/listinfo/glob2-devel > > > _______________________________________________ > glob2-devel mailing list > [email protected] > https://lists.nongnu.org/mailman/listinfo/glob2-devel _______________________________________________ glob2-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/glob2-devel
