[Cryptography] Repeated Salts?

Ray Dillinger bear at sonic.net
Thu May 18 01:46:14 EDT 2017


Is there software still in use that is likely to repeat salts across
separate installations?

For example, does anything hash the username in order to get a salt,
whereupon ALL of the people who select a common username get their
passwords hashed with the same salt, across many installations?

If everybody who uses a common username (or all the people who have user
number 27, or whatever) gets the same salt, then the logic behind salt,
of not giving the attacker the opportunity to reuse password guesses
across multiple accounts, applies only to attackers who are
attacking single installations.

If common usernames or user numbers or account names can lead to
identical salts, then an opponent attacking installations wholesale gets
to build separate rainbow tables (or whatever) that apply to each of a
few million "common" salts, and gets the benefit of reusing computation
anyway.

				Bear



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170517/b6475147/attachment.sig>


More information about the cryptography mailing list