Difference between revisions of "Talk:Hashing Java"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
 +
==Status==
 +
Needs review
 +
 +
==Reviewers==
 +
* ?
 +
 +
==General Discussion==
 
I use a very similar scheme in my applications, but 2 points that came to mind whilst reading.
 
I use a very similar scheme in my applications, but 2 points that came to mind whilst reading.
 
#Iterations of at least 1000 times seemed a bit excessive, but it is in the standard and I'm in no way qualified to critise.
 
#Iterations of at least 1000 times seemed a bit excessive, but it is in the standard and I'm in no way qualified to critise.
 
#Instead of storing salt in it's own field I usually include it amongst the password (i.e characters 2, 4, 7, 13, 17, 19) to make it that bit harder to even find the salt value.  I generally hex encode the hashes as well to make them a bit easier to work with.  Assuming decompiled code is available (as an attacker has gained access to the password hashes) this extra salt hiding may not serve any useless purpose.
 
#Instead of storing salt in it's own field I usually include it amongst the password (i.e characters 2, 4, 7, 13, 17, 19) to make it that bit harder to even find the salt value.  I generally hex encode the hashes as well to make them a bit easier to work with.  Assuming decompiled code is available (as an attacker has gained access to the password hashes) this extra salt hiding may not serve any useless purpose.

Revision as of 04:49, 7 November 2006

Status

Needs review

Reviewers

  •  ?

General Discussion

I use a very similar scheme in my applications, but 2 points that came to mind whilst reading.

  1. Iterations of at least 1000 times seemed a bit excessive, but it is in the standard and I'm in no way qualified to critise.
  2. Instead of storing salt in it's own field I usually include it amongst the password (i.e characters 2, 4, 7, 13, 17, 19) to make it that bit harder to even find the salt value. I generally hex encode the hashes as well to make them a bit easier to work with. Assuming decompiled code is available (as an attacker has gained access to the password hashes) this extra salt hiding may not serve any useless purpose.