This is Sp0rkbomb's Typepad Profile.
Join Typepad and start following Sp0rkbomb's activity
Join Now!
Already a member? Sign In
Recent Activity
Good post. However, the part about salted hashing is somewhat misleading. Salted hashes (in this form of usage, not in all) are there to slow down hashing, hiding the salt is (as you explain) pointless. This is also why shadow(3) stores hashes in the exact same line as the hash: It doesn't matter. To explain this a bit more thoroughly: Salts must be chosen on a per-password basis in order to provide any hardening against brute forcing. They then provide the additional security that if two of your users (let's call them 'steve' and 'john') have the same password 'password' and you use their usernames as salt, their two password hashes will still be different, because H('stevepassword') and H('johnpassword') are completely different (provided you're using a cryptographic hash). With unsalted hashes (or when the salt is the same for the whole database), as soon as anyone knows the hash of 'password', they can also check through all other rows if they have the same hash. With salted hashes, you have to hash your entire character set against any different salt and check it against the corresponding row.
Toggle Commented Apr 6, 2012 on Speed Hashing at Coding Horror
Sp0rkbomb is now following The Typepad Team
Apr 6, 2012