[pLog-svn] Salted MD5
Jon Daley
plogworld at jon.limedaley.com
Wed Mar 12 10:35:09 EDT 2008
On Wed, 12 Mar 2008, Matt Wood wrote:
> Heh... this is OT... but more importantly, what other websites do you use
> your password on. There exists programs that will try username/password
> combinations on the top 500 financial institutions (banks/brokers/etc...).
For me, none, but I know that some people use the same password,
or almost the same password on every site, so they only have to guess a
couple when the encounter something where they don't have any idea of what
their password is. For me, I have a password file on my home computer,
which is accessible via ssh (though the machine is running denyhosts, so
you only get a couple chances to guess before your IP being blacklisted.
Once you guess my login name, you would then have to find the user
who owns the file, and figure out his password, so a little unprotected
there.
> Assuming your password is of some strength, I doubt having the salt in the
> config file instead of the database is worth the hassle. The main idea of
> the salt is to fubar precomputed hash attacks.
The "hassle" isn't too much on our software, since we already have
the config file class.
More information about the pLog-svn
mailing list