On Friday 08 June 2012 11:29 Andreas Schneider wrote: > On Friday 08 June 2012 10:40:57 Thomas Tanghus wrote: > > On Friday 08 June 2012 10:15 Andreas Schneider wrote: > > > You know there is this rocket sience technology from the 70ies. It is > > > called salt in cryptography. I suggested several times to use salting in > > > owncloud but we still don't have it. > > > > > > First linkedin: > > > http://www.h-online.com/security/news/item/LinkedIn-confirms-that-user- > > > passwords-were-compromised-1612554.html > > > > > > then last.fm: > > > http://www.lastfm.de/passwordsecurity > > > > > > > > > next: your owncloud installation ... > > > > Now I don't know much about cryptography, but I read the code, followed > > the > > password, and to me it looks like you're spreading FUD: > > > > https://gitorious.org/owncloud/owncloud/blobs/master/3rdparty/phpass/Passw > > or dHash.php#line208 > > I don't see a salt stored next to the password hash in the database, do you?
As I said I don't know much about cryptography or the difference between stored salts and generated salts - I actually flunked in it, so I leave the implementation to the experts; would that be you? What I do know is the reaction when such posts hits e.g. IRC, I actually noticed it this morning. But it is good that you take up the subject, and I'm looking forward to seeing the ûber secure solution for ownCloud. -- Med venlig hilsen / Best Regards Thomas Tanghus _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
