Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Re^3: Opportunity to excel

by jethro (Monsignor)
on Aug 02, 2009 at 15:12 UTC ( [id://785244]=note: print w/replies, xml ) Need Help??


in reply to Re^2: Opportunity to excel
in thread Status of Recent User Information Leak

Hash the userid and password together.

That would just be like a seed but with a guessable instead of a random value. Would make it possible to generate rainbow tables for common userid ranges (or if you meant usernames, for common usernames).

Storing the seed in front of the hash value is neither expensive nor difficult and there is no reason to optimize randomness away for a clever trick to save a few kbyte

Replies are listed 'Best First'.
Re^4: Opportunity to excel
by BrowserUk (Patriarch) on Aug 02, 2009 at 15:29 UTC

    I didn't mean instead of a seed. By all means keep your random seed, but if you're going to store that in plain text, it is just as vulnerable as a plain text password once you have been compromised!

    You always have two pieces of information--userid and password--making the hash dependant upon the combination, means the bad guys have to build rainbow tables for every combination of userid and password. Ie. You're back to massive combinatorics.


    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.
      The userid has to be stored in plain text as well. The ONLY function of the seed (or in this case usually called Salt_(cryptography)) is to prevent rainbow (or similar library) attacks. There is nothing intrinsically "vulnerable" about a visible random seed/salt

      If you replace "userid" with "random seed" in your second paragraph, the sentence is still correct. Your userid scheme is cryptographically nothing but a random seed with much less randomness

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://785244]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others contemplating the Monastery: (5)
As of 2024-03-28 20:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found