On 22 Sep., 15:36, JasonG <[EMAIL PROTECTED]> wrote:
>.... Most likely "YES". Why?
> Because the hashed password used only the cleartext password (+ random
> salt) as key material.
I think you are missing Reinier's point JasonG. Adding username or
whatsoever information to the pass doesn't bring you ANY additional
security AT ALL. It just doesn't - that's what salt is for. It's
making stuff like renaming users etc. harder. But I also don't see how
this can hurt(don't really get Reinier's "collision-point") so if you
really, really, really wan't to do it - it's up to you. Just don't
convince the others to do something completely unnecessary.
> On a final note - I read up on jBCrypt and it looks great, but .... I
> would, however, add a concern that jBCrypt is currently a version 0.2
> product produced by an individual, with a license containing no sort
> of warranty. This is fantastic for average Joe building a web
> application at home or for open source projects - but impractical (and
> possibly not even an option) for anyone building applications for
> financial, insurance, health care, government, or any other highly
> regulated vertical. There's that whole indemnity issue the lawyers
> and auditors will usually fight over unless they have already approved
> it.
True. Only goverment-approved algorithms can be used in such
structures and Bcrypt is not among them as far as i know. But most of
the developers will be more than satisfied to have it.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
