security - Is using a 'salt' all that good? -


I do not claim to be an expert in security, but I think that adding salt is not really for example , If the user's password is John 1970 and salt 123456, then this means that the password is 123456john1970, while it is an attacker (using a dictionary attack) like rainbow tables), the attacker might guess. The first part is salt. I use non-standard methods (like XORing with some keys or applying a few simple mathematical operations for the code of the letters) more effective I know most of you probably will not agree with me, but it makes me more understandable Comes.

Your opinion?

Duplicate:

The salt has not been added to make a password difficult at the front, it has been added to ensure that password storage does not leak additional information

In fact, salt arises randomly for each password, and is stored without any type of obstruction of the password.

The password is never stored in the database, only hash is stored (MD5, SHA1, SHA2 * etc.).

The MD5 of 'password' is always 523320acce0dc6a4 of PhD 04869 286755. If you have stored MD5 in the password database, you can see that string and know that password is 'password'.

By adding the salt of '84824', this amount becomes 2ca20e59df3a62e5dc4a3a0037372124. But if you have another database (or the other user uses the same password), they may have a random salt of '8999', so that: 4e7a210a07958cfe24138a644cbb7f84

The issue is that if an attacker A password database of passwords, password hashes will be meaningless; You will also not be able to tell whether 2 or more users were using the same password.

Edit:

In comparison - The mathematical formula that you apply can be reversed. If you choose a salt, the password is the exhaust salt with the Hash, then the attackers can only undo the XOR operation and get the original hash on which the rainbow tables are extremely useful.

If you think that the mathematical formula can not be reversed, there is an opportunity that you are actually losing data, and you are mapping multiple passwords in the same final hash. It actually multiplies the probability that the attacker will get a password for hash because any suitable password will work.

If you keep XOR safe and keep the XOR value safe, it is just an additional secret that should be kept anywhere, and by revealing that secret effectively loses all of your passwords. (Again due to rainbow tables). There is no additional secret with salt, the operation can not be reversed, but can be repeated, and each password must be attacked individually.

EDIT: This is absolutely relevant now:


Comments

Post a Comment

Popular posts from this blog

python - Overriding the save method in Django ModelForm -

I'm having trouble overriding a ModelForm save method. I get this error I'm: Exception type: TypeErier Exception Value: Save () found an unexpected keyword argument 'committed' My intentions include a form 3 fields Submit several values ​​for, then create an object for each combination of those areas, and to save each object file models.py class collarsult type (models.Model): id = model. AutoField (db_column = 'icontact_result_code_type_id', primary_key = true) callResult = models.ForeignKey ( 'CallResult', db_column = 'icontact_result_code_id') campaign = models.ForeignKey ( 'campaign', db_column = 'icampaign_id') CALLTYPE = models.ForeignKey ( 'CALLTYPE', db_column = 'icall_type_id') agent = models.BooleanField (db_column = 'bagent', default = true) teamLeader = models.BooleanField (db_column = 'bTeamLeader', default = true) active = models.BooleanField (db_column = Django.form...
Read more

html - CSS autoheight, but fit content to height of div -

I have a div in which there are three children- div in the left and middle div: float: left while true: float: true because it is my layout Actually will spoil, I've used ClearFix Hack: .cf {zoom: 1; }. Cf: First,. Cf: {content: ""; Display: Table; }. Cf: After {clear: both; } It still works, but I want to be the right div an indicator. So it should fill 100% of the parent unit of height. How can I complete this? PS is the full code: & Lt; / Div & gt; & Lt; Div class = "mobile_content" & gt; & Lt; H5 & gt; {{Data.titel}} & lt; / H5> & Lt; Table & gt; & Lt; TR & gt; & Lt; Th & gt; Komponist: & lt; / Th & gt; & Lt; TD & gt; {{Data.komponist}} & lt; / TD & gt; & Lt; / TR & gt; & Lt; TR & gt; & Lt; Th & gt; Instrument: & lt; / Th & gt; & Lt; TD & gt; {{Data.instrumente}} & lt; / TD & gt; & Lt; / TR & gt;...
Read more

qt - How to prevent QAudioInput from automatically boosting the master volume to 100%? -

I have been trying to use Qt5 multimedia to record audio with QAudioInput, however, when I see If QAudioInput is started, it increases the master volume of my sound device to 100%. How can I prevent QAudioInput from changing the master volume? My current development platform is Linux with PalsAdio (with flat audio disabled). How can I use QAudioInput : QAudioDeviceInfo device_info = QAudioDeviceInfo :: defaultInputDevice (); QAudio format format; Format.setSampleRate (44100); Format.setChannelCount (1); Format.setSampleSize (16); Format.setCodec ("Audio / PCM"); Format.setSampleType (QAudioFormat :: SignedInt); Format.setByteOrder (QAudioFormat :: LittleEndian); Std :: cout & lt; & Lt; Device_info.deviceName (). ToUtf8 (). ConstData () & lt; & Lt; Std :: endl; QAudioInput * default_device = new QAudioInput (device_info, format); QIODevice * default_io_device = default_device-> Start (); a QAudioInput.setVolume () method is not you I ...
Read more