Are You Sure SHA-1+Salt Is Enough For Passwords? 409

Posted by CmdrTaco on Wednesday February 09, 2011 @09:47AM from the good-enough-for-govt-work dept.

Melchett writes "It's all too common that Web (and other) applications use MD5, SHA1, or SHA-256 to hash user passwords, and more enlightened developers even salt the password. And over the years I've seen heated discussions on just how salt values should be generated and on how long they should be. Unfortunately in most cases people overlook the fact that MD and SHA hash families are designed for computational speed, and the quality of your salt values doesn't really matter when an attacker has gained full control, as happened with rootkit.com. When an attacker has root access, they will get your passwords, salt, and the code that you use to verify the passwords."

Are You Sure SHA-1+Salt Is Enough For Passwords?

This discussion has been archived. No new comments can be posted.

Search 409 Comments Log In/Create an Account

Comments Filter:

Re:Security cookbook? (Score:5, Funny)

by Brad1138 ( 590148 ) writes: <brad1138@yahoo.com> on Wednesday February 09, 2011 @11:02AM (#35150282)

It does not go too deep, but just deep enough:

That's what she said...

Re:Wait, what? (Score:5, Funny)

by ifrag ( 984323 ) writes: on Wednesday February 09, 2011 @11:09AM (#35150362)

Ouch... and here I was thinking my hand-harvested, shade-grown, organic Himalayan pink salt was the final solution to password security. That's the last time I trust the Himalayans.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Are You Sure SHA-1+Salt Is Enough For Passwords? 409

Are You Sure SHA-1+Salt Is Enough For Passwords? More Login

Are You Sure SHA-1+Salt Is Enough For Passwords?

Re:Security cookbook? (Score:5, Funny)

Re:Wait, what? (Score:5, Funny)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot