Security Basics mailing list archives
Re: Hashing passwords
From: Jennifer Wachter <jenny () recurity-labs com>
Date: Tue, 12 Jun 2012 15:28:22 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Hazardous,
The "manuals" say that we should create a salt and then hash it. But, since calculating an hash is a "relative simple" operation (in matter of processing power), is hashing two or three times the password (hash over hash) a "kind of" secure method or it is as weak as not using salt at all?
I think you got something wrong. A "salt" is not to the procedure of hashing the password two or more times. A salt is a randomly generated string that is appended to the plain text password and then the whole thin is hashed. for example: PW: password salt (random): salt stuff to hash: passwordsalt sha1hash for passwordsalt: fde41e5e324b4f932a7ea5a056964ed3de60373d You have to map the salt to a The random salt is used to make it impossible (or even very expensive) to attack the hash with rainbowtables. If you using salts, similar passwords of different users don't have the same hash because normally the salt is different. If you don't use salts, hashing the same password will give you the same hash. (Sometimes, different users use the same PW). A good explanation of how salts are used and what they are for on Wikipedia.[1] HTH, Jenn [1] http://en.wikipedia.org/wiki/Salt_%28cryptography%29 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP10P1AAoJEAxfDBT+GENje4AH/i5bTWcDFwf/eWE1gHvMIob9 DwZJC+ANSH7dsblwd9dmgs/rsnM6V1QD5EoF0R4hwLfmWVq3Sr3mqxLZLY3HKvfz 5Kw8sSWjoKLhMgdy7CBAunyTSJuEO3eQmdcUCUdeXHYFS2wzxSKKrWUpfl1LD0tR qRssjziV3vP+gxOc6rsk2ThDOnaKmgyZSsfFaWnTJFUPplGpMZ3IzTL/zvT/VmRl QLnFMZ9Fz9ExvN5qafPSLu/evryegGH8kyekYb1bWj0VtCVBUmdmv/uKPgUkazo2 2SVby17IUw+GtAoG1sXPwHJYY0fGryzrAOV4RGO66kxIpS1xgFjCn1ppifudPKY= =39uP -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Hashing passwords, (continued)
- Re: Hashing passwords Kai Wirt (Jun 12)
- Re: Hashing passwords Kurt Buff (Jun 12)
- Re: Hashing passwords Ansgar Wiechers (Jun 13)
- Re: Hashing passwords Kurt Buff (Jun 13)
- Re: Hashing passwords Alexander Klimov (Jun 13)
- RE: Hashing passwords Mikhail A. Utin (Jun 13)
- Re: Hashing passwords Kai Wirt (Jun 13)
- Re: Hashing passwords gold flake (Jun 12)
- Re: Hashing passwords Kai Wirt (Jun 12)
- Message not available
- Re: Hashing passwords Jennifer Wachter (Jun 12)
- RE: Hashing passwords Dave Kleiman (Jun 12)