This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Hashing Java"
From OWASP
| Line 1: | Line 1: | ||
| + | ==Status== | ||
| + | Needs review | ||
| + | |||
| + | ==Reviewers== | ||
| + | * ? | ||
| + | |||
| + | ==General Discussion== | ||
I use a very similar scheme in my applications, but 2 points that came to mind whilst reading. | I use a very similar scheme in my applications, but 2 points that came to mind whilst reading. | ||
#Iterations of at least 1000 times seemed a bit excessive, but it is in the standard and I'm in no way qualified to critise. | #Iterations of at least 1000 times seemed a bit excessive, but it is in the standard and I'm in no way qualified to critise. | ||
#Instead of storing salt in it's own field I usually include it amongst the password (i.e characters 2, 4, 7, 13, 17, 19) to make it that bit harder to even find the salt value. I generally hex encode the hashes as well to make them a bit easier to work with. Assuming decompiled code is available (as an attacker has gained access to the password hashes) this extra salt hiding may not serve any useless purpose. | #Instead of storing salt in it's own field I usually include it amongst the password (i.e characters 2, 4, 7, 13, 17, 19) to make it that bit harder to even find the salt value. I generally hex encode the hashes as well to make them a bit easier to work with. Assuming decompiled code is available (as an attacker has gained access to the password hashes) this extra salt hiding may not serve any useless purpose. | ||
Revision as of 09:49, 7 November 2006
Status
Needs review
Reviewers
- ?
General Discussion
I use a very similar scheme in my applications, but 2 points that came to mind whilst reading.
- Iterations of at least 1000 times seemed a bit excessive, but it is in the standard and I'm in no way qualified to critise.
- Instead of storing salt in it's own field I usually include it amongst the password (i.e characters 2, 4, 7, 13, 17, 19) to make it that bit harder to even find the salt value. I generally hex encode the hashes as well to make them a bit easier to work with. Assuming decompiled code is available (as an attacker has gained access to the password hashes) this extra salt hiding may not serve any useless purpose.
