|
Posted by James on January 25, 2008, 10:53 pm
Please log in for more thread options Cheers Dave, thanks for the insight. This pretty much clears up
everything for me.
DaveMo wrote:
>> Hi Meinholf and Anthony,
>>
>> What I mean by salt is that, for example, UNIX appends a 12bit string
>> (at least) to a password when hashing it to make cracking more
>> difficult. Does Windows have an internal thing similar to this? A seed
>> may be the terminology Microsoft uses for this same concept.
>>
>> To explain what I'm thinking (and if its the same as a seed in Windows)
>> -http://en.wikipedia.org/wiki/Salt_(cryptography)
>>
>> Thanks!
>>
>> James
>>
>>
>>
>> Anthony wrote:
>>> Seeds perhaps?
>>> Anthony,http://www.airdesk.co.uk
>>>> Hello James,
>>>> What do you mean with salts?
>>>> Best regards
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Hi all,
>>>>> Just a quick question, another admin at my work struck up a
>>>>> conversation about password strength in Windows, stating that salts
>>>>> were not used. This came as a bit of a surprise, as I had never looked
>>>>> into the technicalities of the windows password scheme.
>>>>> Can somebody elaborate on whether this is true, and why salts are not
>>>>> used? Any specific tech references would be nice for the train trip
>>>>> home.
>>>>> Cheers,
>>>>> James- Hide quoted text -
>> - Show quoted text -
>
> Hello James,
>
> The lack of salting is a relic of a much earlier time when it was not
> obvious that this should be done. Or you could argue that since
> salting is mainly a defense against dictionary attacks, a better
> solution then salting is to make sure you enforce complex passwords
> that aren't in the dictionary. You could claim that salts deliver a
> false sense of security. For example, salts don't help at all for a
> targeted attack on one (or a few) user account and password. In such
> an attack you can always assume the attacker will take the time to
> recompute the dictionary using the salt.
>
> So, the salt would be expensive to implement in the highly
> interconnected Windows infrastructure and it wouldn't do much to
> increase the security level in most of the critical attack scenarios.
> My guess is that these reasons continue to push password salting down
> the priority list of things to do.
>
> Just a couple of cents worth of thoughts.
>
> Dave
>
| 
XML Sitemap