This is Jeroen Jacobs's Typepad Profile.
Join Typepad and start following Jeroen Jacobs's activity
Join Now!
Already a member? Sign In
Jeroen Jacobs
Recent Activity
Jeffrey: such a system already exists: smartcards No need for storing passwords in a database anymore, and it's perfectly usable on the web in combination with SSL.
Toggle Commented Apr 6, 2012 on Speed Hashing at Coding Horror
Sofa420: This looks like a waste of cpu cycles to me. Salts have only one purpose: to make sure that the same password evaluates to a different hash. Therefore, it only secures against those famous dictionary-attacks (= rainbow tables). The only thing that really matters for a salt, is that's unique. In fact, your implementation might not be secure at all, if you also store that date in your database (as date/time of registration for example). This makes your salt predictable, and not really random, therefore defeating the purpose of a salt. I think it's better to use a cryptographic number generator for this. Now if you are doing this in JavaScript, you don't really have one. Maybe you could use something like this (pseudocode) : salt = hash(mouse_cursor_position+ screen_resolution + user_agent + ...) a combination of this should be more random then taking the username and registration date as a salt. The extra hashing you do in your code, does nothing to prevent that.
Toggle Commented Apr 6, 2012 on Speed Hashing at Coding Horror
Jeroen Jacobs is now following The Typepad Team
Apr 6, 2012