[WEB SECURITY] Hashing and entropy (was RE: [WEB SECURITY] username & pw in clear-text through SSL considered safe?)

Dave Sanford dsanford at austin.rr.com
Fri Jun 20 11:25:38 EDT 2008


Agreed - and although I am a CISSP, certs don't account for much in some
quarters
so justifying it based on a CISSP principle may not hold water with some -
however
Schneier has written extensively on this, and talks about a specific
situation in
this:

http://www.schneier.com/essay-188.html

Dave

"We cannot ensure success, but
we can deserve it." John Adams 

> -----Original Message-----
> From: Thierry Zoller [mailto:Thierry at Zoller.lu] 
> Sent: Friday, June 20, 2008 8:42 AM
> To: websecurity at webappsec.org
> Subject: Re[2]: [WEB SECURITY] Hashing and entropy (was RE: 
> [WEB SECURITY] username & pw in clear-text through SSL 
> considered safe?)
> 
> Dear Adrian,
> 
> Sorry but I could not resist to drop this comment :
> 
> Read:
> AJE> I wish these
> AJE> "webappsec" people would get up to speed with CISSP principles.
> 
> Then:
> AJE> 6. Agreed on SHA 512, but I think it's safer to write your own 
> AJE> algorithm that the attacker is unlikely to know.
> 
> Invent your own crypto algorithm - a classic, they teach this 
> during CISSP these days?


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list