how long should a password be?

Bill Royds bill.royds at royds.net
Sat May 10 18:11:10 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 10-May-08, at 04:37 , Peter Pentchev wrote:

> It seems that you are missing another important point about the salt -
> it is generated randomly each and every time something needs to be
> encrypted :)  There is no such thing as "the salt value for this  
> user";
> every time this user wants to hash a password, the system generates
> a random salt value and hashes this particular password, just this  
> once,
> with this value.

But this begs the question of how to add the salt properly when  
verifying the password against stored values.

To be able to authenticate against a password, it needs to be  
available, in some form, as required. Normally that form is in a table  
of hashed passwords, where the hashed value is a hashed combination of  
the actual password and the salt Hash(Password,salt). The  
authentication routine has the password, but where is the salt stored?  
If it is stored along with the password, then it is available to the  
cracker who has the hash table, which is necessary for brute force  
cracking so adds no more security. It can't be generated each time  
because it has to be the same as used in creation of the hash table.  
So storage of the salt becomes its own security problem.


Bill Royds




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (Darwin)
Comment: Bill Royds

iQIcBAEBAgAGBQJIJclbAAoJEI1SgF3RWQJIrmYP/jvuMNWBvtWfptagHjjyZ6Lo
k1u2u9mZ0xTn0dlo9BZoFSvMvS1ZndgdAuKCDwoy9Uv34M1lkviwcaqX/P+3WF7T
axgrf7QCirLZlsEf3SlxT+a5MJvBcBrHEblJo80AAIyswjx951AHQ/v3v8UVblgn
vVGd072PHB/U12A+XzNpEyULCv0rlbraESP4OBG0jyT704xcJaoYmax8UPpNvuVf
eb76Wy8EuOH3r+DhQhsNjSSrl2V2kR96SkrwcFOwlDOW5YE6gJF8UF+9wXjOov/r
qSUNxXlyAXe6gwV6VhmSb41Y0BLLqp7uWqjG1NJGmy2KmWAhT971ZRvRpc3phy5J
4eck/Bcj8S/lLMW9qUBQee2hexmlLES18sVqzMzzpKKu3UwjoX7p4u23CFR7jpGe
5ewoVugKxR7R8vL3TSC3wEUb+k1wvCT5kkOzReBkjIG0Oif1SriR9U5eGKg9Wh9D
vH33vQrvA+oD/guKpyxXspnFZXGZaajOjBHJDCO6x7azVJByb8H2Opg/v7yNP4tb
UfIFJh/CUkvAgubM5pyoXCppzTdT6uCXLxDuoFb3NUSsqTJw0A04QtSDYhjz3EiT
rnJMyrdxkr5fsk8Z45gYLonHsK8lgjeuXvcjuDP9RJQa4wSPdWY5F27FM8gUgRV8
udMN++aQ9/q27Y6t5bGg
=6WRq
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list