> -----Original Message----- > From: tedd [mailto:tedd.sperling@xxxxxxxxx] > Sent: Monday, February 09, 2009 10:30 AM > To: Bruno Fajardo > Cc: PHP General > Subject: Re: php validate user password > > At 12:20 PM -0300 2/9/09, Bruno Fajardo wrote: > >tedd, > > > >I think that the problem of the "duplicated hashes" in the database > >(in the case of two users using the same password) persists with a > >constant prefix in the passwords. Although the random salt portion get > >stored in the database concatenated to the hash, the attacker don't > >know the string length of the salt, making the attack very difficult. > > > I've seen many duplicate password hashes in databases. Get a user > number in the thousands and it's almost certain you'll have duplicate > passwords. People just cannot create unique passwords. > > The article discussed using a random salt to avoid this, I got the > message. > > I was just saying that even if there are duplicates, that doesn't > make solving the hash any easier -- it just focuses the attention of > the cracker to those duplicates. In some cases, I could see that as > another way to foil a cracker by deliberately having those records in > a database without a solution. > > For example, I could have a duplicate hash appear five times in a 5K > population -- that certainly would become a focus for a cracker. > However, I could also have my code looking for that hash and never > provide a solution regardless of what the cracker does -- do you see > what I mean? > > Granted, there are things here that are above my head -- I am not > passing myself off as an expert but rather as someone proposing ideas > to see if they pass or fail. I don't think "Security By Obscurity" gets a fair shake anymore in today's security world. Sure, it would be horrible to employ it exclusively, but I think the added layer of abstraction that comes along with it is a wonderful benefit to any application's security procedures. The salt itself could be considered security by obscurity, since it is being passed through the same algorithm as what you're hashing to begin with. This might be a stretch, though. :) I say, "Huzzah, tedd. Good idea." Hash + Obscurity > Hash + Nothing // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
