On 01/03/2017 15:37, Bob Sneidar via use-livecode wrote:
Hi Peter. Very informative thank you. In the example,

[protected form] = [salt] + protect([protection func], [salt] +

It looks like they are saying to prepent the salt prior to the
protect function (in the case of LC that would be encrypt) but if
someone got access to the SQL database, wouldn't that give part of
the secret away? Isn't the salt value a way to further obscure the
credential, making something like a hash table more difficult?

I use a salt value that only I know, and I password protect the stack
that uses it. Seems to me that prepending the salt to the protected
form is like giving someone my user name but not my password. The
other team is starting on the 50 yard line (in American sports

The idea of a password storage scheme is to make it extremely costly for
an attacker to recover the original passwords, even given _total_ information about the scheme. When evaluating a scheme, you should always assume that if someone has got access to your password database, they have also got access to anything else on that server or any server connected to it -- potentially including your secret salt.

By appending the salt to the front of the protected form, you can use a
different salt for every single password in your database. Even if someone knows a password already (e.g. because they have an account on your server), they gain no information about any of the other passwords in the database.

Password storage schemes like Argon2 go one step further and put all of the parameters for the protected form into the protected string. This allows the parameters to be modified for newly-stored passwords while still being able to verify old passwords. They are also tuned to ensure that it takes a long time to compute the protected form (usually around 0.1 to 0.5 ms). That's long enough that knowing _all_ the parameters still makes it infeasible to figure out what the original password was.

In summary: salt values shouldn't need to be secret.


Dr Peter Brett <peter.br...@livecode.com>
LiveCode Technical Project Manager

lcb-mode for Emacs: https://github.com/peter-b/lcb-mode

use-livecode mailing list
Please visit this url to subscribe, unsubscribe and manage your subscription 

Reply via email to