|
|
Posted by Alexander Mueller on 01/09/08 18:52
Jeff wrote:
>
> I think he's talking about the salt. Do you pass the salt with the form
> submit, if you do, what is the security advantage?
A salt is always used to have a hash which is different from the regular
hash (to prevent precomputed hash tables). In case of salt, it certainly
always have to be the same.
As to the replay salt, this would only be used to prevent replay attacks
and would or better should always be differently. Of course it wouldnt
be used to store the password hash.
>
> All this looks a bit like unix password encryption where no one knows
> the password, only if it is wrong. What would the application be?
Well, yes, hashes are used in Unix too, but it is a general solution and
most websites use a hash to store passwords with the exception that the
server is generating the hash.
Alexander
[Back to original message]
|