Network Security: Detailed info on Re: Oracle hash-list?

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Pen-Test

[Top] [All Lists]

Re: Oracle hash-list?

from [Joshua Wright] Network Security

[Permanent Link]

Subject:	Re: Oracle hash-list?
Date:	Mon, 21 Mar 2005 11:19:52 -0500

Steven DeFord wrote:

Isn't using the username as useful as a salt? Better, even, perhaps, since usernames are longer than your typical few-character salt? Salts just slow down precompiled dictionary attacks, yes? I suppose it would be less useful for the few default accounts, but not for all the other users.

While this is true, a conflicting salt for users on two different systems would be a problem, since they will have the same password hash. A compromised username/password combination on one system could extend to another system since there is no unique salt.

-Josh
--
-Joshua Wright
jwright@hasborg.com
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

Today I stumbled across the world's largest hotspot.  The SSID is "linksys".

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Oracle hash-list?, Jeroen Re: Oracle hash-list?, Pieter Danhieux Re: Oracle hash-list?, Steven DeFord Re: Oracle hash-list?, Joshua Wright <= Re: Oracle hash-list?, Jeroen Re: Oracle hash-list?, Nexus RE: Oracle hash-list?, McAllister, Andrew Re: Oracle hash-list?, James Hackett

Previous by Date:	Re: Oracle hash-list?, James Hackett
Next by Date:	SecurityForest Exploitation Framework Beta has been released!, Alon Swartz
Previous by Thread:	Re: Oracle hash-list?, Steven DeFord
Next by Thread:	Re: Oracle hash-list?, Jeroen
Indexes:	[Date] [Thread] [Top] [All Lists]