[UPHPU] Update on the security of md5 (for those who were at the meeting)

Adam Olsen adamo at mindzion.com
Mon Jan 24 14:05:12 MST 2005


Smith, Jeff wrote:
  > Sorry for being so naïve. I still do not understand why salting in a 
web based app help protect from a dictionary attack.  My question is if 
I am using a dictionary attack against your website won't your 
authentication routines automatically apply the correct salt.  In other 
words if I use a weak password, one that is a simple word, how does 
using salt to protect the hash keep my password safe?  This would keep 
my hash safe but if someone can get access to my hash they can also 
access my salt.  If they can access my hash and my salt what it is the 
point of salting?
> 
> Jeff "the confused but trying to understand" Smith

Hrmm, I guess my last reply didn't go to the list.  Sorry about that. 
Anyway, salting prevents against dictionary attacks if the attacker has 
the actual end hash.

Adam


More information about the UPHPU mailing list