On Wed, Oct 26, 2011 at 12:36 AM, <[email protected]> wrote: > "Milan Mimica"<[email protected]> wrote: > > Yes, having the salt randomly generated and storing it with a hash is a > > better idea. Note taken. Combining it with a fixed salt (and trying to > keep > > it secret) is even better. Keeping a hardcoded salt in the image running > on > > the remote machine serving WEB pages makes it quite secret IMO. > > I was referring to Mariano's intent (at least how I understand it) to > hardcode it "in code". If he's confident he'll be able to keep the code > secret then hey may as well have the password in it in plain text, hashing > it with or without salt, doesn't make much difference IMO. > > Yes, indeed. I didn't give details. It was something very very stupid and simple. All I wanted to do is to commit a class I use to build my images and such class sets my username/password for squeaksource repotistories. But I didn't want to put such password in the code... at the end what I did (because my scenario is really stupid and only for me), is to read the password from a file in my machine :) hahahahha
Anyway, I learn from the thread :) > Generating random salt and keeping a hashed password on a deployed system > is a different scenario. In this case it's different and unpredictable with > every deployment. When it's hardcoded it's the same everywhere. > > -- Mariano http://marianopeck.wordpress.com
