[WEB SECURITY] Salt Storage - web.config or database?

Martin O'Neal martin.oneal at corsaire.com
Fri Jun 2 09:53:05 EDT 2006


> ... prevents direct access to both items necessary to force an 
> authentication.

How does it prevent anything?  If there is a route to attack the
application and the environment that it sits on, then as they *must*
access both components (hash and salt), then the successful attacker can
also do the same.  The net effect is to increase system complexity,
introduce the risk of the two stores becoming unsynchronised, but gain
nothing in security.

> keep them separate (commonly with 1 salt for all users).

Which isn't effective salting at all.  Such an approach may help defeat
pre-computes, but doesn't help with hash-once, compare many attacks
(which would be the most likely form of attack against any custom piece
of code).

Martin...

----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list