On 12/21/2011 12:41 AM, Christof Wollenhaupt wrote: > If you use CRC functions you should salt the value. That is adding a few > application specific characters before or after the password, then passing > the result to SYS(2007) - or whatever else. Adding more sophisticated > functions to calculate the hash value would be possible but not add > security value. Once you went beyond storing the password, the application > (with code injection) becomes the weakest link, not cracking a password. >
That makes sense. Seems like me just getting and storing the CRC of "<whatever prefix I choose here>" along with their password and then on the login screen, comparing that same prefix + their entered password against the stored value would be sufficient. I see that approach as responsible. I'd like to hear someone give an explanation as to why it wouldn't be (responsible). Thanks, --Mike -- Mike Babcock, MCP MB Software Solutions, LLC President, Chief Software Architect http://mbsoftwaresolutions.com http://fabmate.com http://twitter.com/mbabcock16 _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
