On 12/10/12 4:11 PM, Paul McNett wrote: > On 12/10/12 3:03 PM, Ed Leafe wrote: >> On Dec 10, 2012, at 4:57 PM, Stephen Russell <[email protected]> wrote: >> >>> Never thought of it like that but what if a hacker uses a password that is >>> already there? They get it all. >> >> Only if they guess the correct salt. With unsalted passwords you would >> be correct (hence the wisdom of salting). > > The hacker would need the username plus the password in any case, salted or > not. I > don't understand the issue other than 'duh, if the hacker has the user name > and the > password, they can get in.'
Ok, here's what we are talking about I think: def login(user, pass): salt = users.getSaltForUser(user) hash = makeHash(pass, salt) return isValidUser(user) and validateUserHash(hash) So if that hash exists anywhere in the secret hash table, AND that user exists in the users table, the user will be validated even if it was a different password entered and that password plus that salt yielded a different hash. So since different combinations of pass+salt could theoretically yield the same hash, this system shouldn't be used for a few reasons I can think of off the top of my head, the main one being what to do when a user is deleted or changes their password? We can't delete that hash from the table because someone else may be using it too. I suppose another column could be added to the hash table: known_user_count (int). And then the hash can be deleted if the known_user_count is <=1 and that user is changing their password or being deleted. But this is likely all academic: I bet the chances of this are so small that we don't need to worry about it. But I don't know this for sure, just musing out loud I suppose. Paul _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
