Prev-20 Home Next-20 3 msg GPG 1.4.9 false verification how long should a password be? \ Matt Kinni (5 May 2008) . \ Noiano (5 May 2008) . . \ Faramir (5 May 2008) . . . \ Robert J. Hansen (5 May 2008) . \ Sven Radde (5 May 2008) . . \ Wolf Canis (5 May 2008) . . \ David Shaw (5 May 2008) . \ Robert J. Hansen (5 May 2008) . \ Wolf Canis (5 May 2008) . . \ Bill Royds (5 May 2008) . . . \ Werner Koch (5 May 2008) . . . . \ Faramir (6 May 2008) . . . . . \ Sven Radde (6 May 2008) . . . . . . \ Faramir (6 May 2008) . . . . . . . \ Peter Pentchev (10 May 2008) . . . . . . . . \ Faramir (10 May 2008) . . . . . . . . \ Bill Royds (10 May 2008) . \ Wolf Canis (5 May 2008) . \ vedaal (5 May 2008) . \ Alan Olsen (6 May 2008) 1 msg RFC4880 format without using keyrings? 6 msg Question about GnuPG Smartcard 4 msg filtering signed email with thunderbird 14 msg playing with cryptography... 7 msg my signature does not verify! 2 msg can GPG help me with SPAM? 3 msg GPG warning for integrity protection 3 msg Version 4 / Version 3 keys 2 msg Manual GnuPG 1.4.9 ... 6 msg Revoking keys... 4 msg Merging trusts... 1 msg LDAP Basic Auth not working for key search, key... 3 msg Open Pgp Smartcard ssh authentication Woes :( 3 msg decrypting a message. 5 msg dearmor in GPGME 3 msg Web of Trust 1 msg [Announce] Libgcrypt 1.4.1 released 3 msg Vandalizing keyserver UID's Prev-20 Home Next-20

Prev-Msg Prev-Thread Gnupg-users May-2008 Next-Thread Next-Msg Subject: Re: how long should a password be? Group: Gnupg-users From: Bill Royds Date: 10 May 2008 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10-May-08, at 04:37 , Peter Pentchev wrote: > It seems that you are missing another important point about the salt - > it is generated randomly each and every time something needs to be > encrypted :) There is no such thing as "the salt value for this > user"; > every time this user wants to hash a password, the system generates > a random salt value and hashes this particular password, just this > once, > with this value. But this begs the question of how to add the salt properly when verifying the password against stored values. To be able to authenticate against a password, it needs to be available, in some form, as required. Normally that form is in a table of hashed passwords, where the hashed value is a hashed combination of the actual password and the salt Hash(Password,salt). The authentication routine has the password, but where is the salt stored? If it is stored along with the password, then it is available to the cracker who has the hash table, which is necessary for brute force cracking so adds no more security. It can't be generated each time because it has to be the same as used in creation of the hash table. So storage of the salt becomes its own security problem. Bill Royds -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (Darwin) Comment: Bill Royds iQIcBAEBAgAGBQJIJclbAAoJEI1SgF3RWQJIrmYP/jvuMNWBvtWfptagHjjyZ6Lo k1u2u9mZ0xTn0dlo9BZoFSvMvS1ZndgdAuKCDwoy9Uv34M1lkviwcaqX/P+3WF7T axgrf7QCirLZlsEf3SlxT+a5MJvBcBrHEblJo80AAIyswjx951AHQ/v3v8UVblgn vVGd072PHB/U12A+XzNpEyULCv0rlbraESP4OBG0jyT704xcJaoYmax8UPpNvuVf eb76Wy8EuOH3r+DhQhsNjSSrl2V2kR96SkrwcFOwlDOW5YE6gJF8UF+9wXjOov/r qSUNxXlyAXe6gwV6VhmSb41Y0BLLqp7uWqjG1NJGmy2KmWAhT971ZRvRpc3phy5J 4eck/Bcj8S/lLMW9qUBQee2hexmlLES18sVqzMzzpKKu3UwjoX7p4u23CFR7jpGe 5ewoVugKxR7R8vL3TSC3wEUb+k1wvCT5kkOzReBkjIG0Oif1SriR9U5eGKg9Wh9D vH33vQrvA+oD/guKpyxXspnFZXGZaajOjBHJDCO6x7azVJByb8H2Opg/v7yNP4tb UfIFJh/CUkvAgubM5pyoXCppzTdT6uCXLxDuoFb3NUSsqTJw0A04QtSDYhjz3EiT rnJMyrdxkr5fsk8Z45gYLonHsK8lgjeuXvcjuDP9RJQa4wSPdWY5F27FM8gUgRV8 udMN++aQ9/q27Y6t5bGg =6WRq -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users http://lists.gnupg.org/mailman/listinfo/gnupg-users Prev-Msg Prev-Thread Gnupg-users May-2008 Next-Thread Next-Msg

© 2004-2008 readlist.com