Comments on: A little salt is a good thing http://www.summa-tech.com/blog/2010/06/23/a-little-salt-is-a-good-thing/?utm_source=rss&utm_medium=rss&utm_campaign=a-little-salt-is-a-good-thing Summa Blog Thu, 17 May 2012 15:31:51 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Nick http://www.summa-tech.com/blog/2010/06/23/a-little-salt-is-a-good-thing/comment-page-1/#comment-2966 Nick Thu, 23 Dec 2010 11:33:40 +0000 http://www.summa-tech.com/blog/?p=2104#comment-2966 A beautiful, simple explanation. Thank you. A beautiful, simple explanation. Thank you.

]]> By: Bill Shaw http://www.summa-tech.com/blog/2010/06/23/a-little-salt-is-a-good-thing/comment-page-1/#comment-2643 Bill Shaw Thu, 24 Jun 2010 16:52:33 +0000 http://www.summa-tech.com/blog/?p=2104#comment-2643 Thanks Darren. Using usernames probably isn't as good as random numbers (or as you suggest, random strings), since an attacker might already have precomputed hashes for well-known usernames (such as "root"). However, this article was only meant to show how salt works in general. In a real-life implementation, you should use a library that's already been created to do this stuff, like <a href="http://www.jasypt.org/" rel="nofollow">Jasypt</a> if you're doing Java. Thanks Darren. Using usernames probably isn’t as good as random numbers (or as you suggest, random strings), since an attacker might already have precomputed hashes for well-known usernames (such as “root”). However, this article was only meant to show how salt works in general. In a real-life implementation, you should use a library that’s already been created to do this stuff, like Jasypt if you’re doing Java.

]]> By: darren fix http://www.summa-tech.com/blog/2010/06/23/a-little-salt-is-a-good-thing/comment-page-1/#comment-2642 darren fix Thu, 24 Jun 2010 15:51:32 +0000 http://www.summa-tech.com/blog/?p=2104#comment-2642 Thanks for the article. I do something similar in a database app that I'm writing, except instead of using a really long random number for the salt, I use the unique userid as the salt. So I guess that I have two questions: 1) Does a long random number make a significant improvement to the password security? 2) If #1 is true, wouldn't it be better to use a long random string instead? I know that your article was a "100,000 foot overview" and that my questions fall outside of the scope of the article, but I'm afraid that my curiosity has gotten the better of me. Thanks, Darren. Thanks for the article. I do something similar in a database app that I’m writing, except instead of using a really long random number for the salt, I use the unique userid as the salt. So I guess that I have two questions:

1) Does a long random number make a significant improvement to the password security?
2) If #1 is true, wouldn’t it be better to use a long random string instead?

I know that your article was a “100,000 foot overview” and that my questions fall outside of the scope of the article, but I’m afraid that my curiosity has gotten the better of me.

Thanks,
Darren.

]]>