[Zope-dev] Salt-weakness in zope.app.authentication passwordmanagers?

Wichert Akkerman wichert at wiggy.net
Sat Jan 17 19:23:23 EST 2009


Previously Uli Fouquet wrote:
> Hi Dan,
> 
> thanks for your quick response.
> 
> Dan Korostelev wrote:
> > Yeah, that's definetely a mistake! The hash needs to be generated
> > using both salt and password.
> > 
> > Also, I saw a technique when you generate a hash using double hashing,
> > like this: sha(sha(password) + salt).hexdigest(). It looks even more
> > secure :)
> 
> Hm, not sure. Building the hash of a hash doesn't give a more equal
> distribution, does it? Therefore it doesn't look 'more secure' to me.

It would not surprise me if it would in fact not be considerably weaker.
The cleartext space for the second hash is a lot smaller and very
predictable (you know the exact string length and that is only consists
of digits and lowercase letters), making an attack simpler.

Wichert.


-- 
Wichert Akkerman <wichert at wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.


More information about the Zope-Dev mailing list