Re: Oracle hash-list?

From: Joshua Wright (jwright@hasborg.com)
Date: Mon Mar 21 2005 - 11:19:52 EST

• Next message: jamar: "Meet women in your area that want to f:u:c:k!"
• Previous message: James Hackett: "Re: Oracle hash-list?"
• In reply to: Steven DeFord: "Re: Oracle hash-list?"
• Next in thread: McAllister, Andrew: "RE: Oracle hash-list?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Steven DeFord wrote:
> Isn't using the username as useful as a salt? Better, even, perhaps,
> since usernames are longer than your typical few-character salt?
> Salts just slow down precompiled dictionary attacks, yes? I suppose
> it would be less useful for the few default accounts, but not for all
> the other users.

While this is true, a conflicting salt for users on two different
systems would be a problem, since they will have the same password hash.
  A compromised username/password combination on one system could extend
to another system since there is no unique salt.

-Josh

-- 
-Joshua Wright
jwright@hasborg.com
http://home.jwu.edu/jwright/
pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
Today I stumbled across the world's largest hotspot.  The SSID is "linksys".

• Next message: jamar: "Meet women in your area that want to f:u:c:k!"
• Previous message: James Hackett: "Re: Oracle hash-list?"
• In reply to: Steven DeFord: "Re: Oracle hash-list?"
• Next in thread: McAllister, Andrew: "RE: Oracle hash-list?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:18 EDT