To get a hashed password, using SHA-256 algorithm.
On Jul 16, 12:06*am, Unruh <unruh-s...@physics.ubc.ca> wrote:
> Kless <jonas....@googlemail.com> writes:
> >Which size is recommended for a salt?
>
> Ffor what? The answer could be anywhere from 0 bytes to 1000 bytes.
>
> >The 'bcrypt' hash algorithm (created by OpenBSD) uses a size of 128
> >bits (16 bytes).
>To get a hashed password, using SHA-256 algorithm.
Again for what? ARe you designing a system? Is this a system in use?
The purpose of the salt is to prevent the attacker from launching a
predetermined dictionary attack. Thus they could precompute the SHA has of
a huge dictionary and compare to the hashed password. If you have salted
it, they would need to precalculate n times as large a database where n is
the number of salts. If y ou are designing the thing, then it is up to you
to decide what value of n is big enough.
128 bits means that n is 2^128=10^40 .
>On Jul 16, 12:06=A0am, Unruh <unruh-s...@physics.ubc.ca> wrote:
>> Kless <jonas....@googlemail.com> writes:
>> >Which size is recommended for a salt?
>>
>> Ffor what? The answer could be anywhere from 0 bytes to 1000 bytes.
>>
>> >The 'bcrypt' hash algorithm (created by OpenBSD) uses a size of 128
>> >bits (16 bytes).
On Jul 16, 1:59*am, Unruh <unruh-s...@physics.ubc.ca> wrote:
> Kless <jonas....@googlemail.com> writes:
> >To get a hashed password, using SHA-256 algorithm.
>
> Again for what? ARe you designing a system? Is this a system in use?
I've been designing a system for hash the password (of web
applications) of secure way.
>On Jul 16, 1:59=A0am, Unruh <unruh-s...@physics.ubc.ca> wrote:
>> Kless <jonas....@googlemail.com> writes:
>> >To get a hashed password, using SHA-256 algorithm.
>>
>> Again for what? ARe you designing a system? Is this a system in use?
>I've been designing a system for hash the password (of web
>applications) of secure way.
OK, then as I have said, the salt is there to prevent precompiled
dictionary attacks on your system. 128 bit salt is way overkill.
It also does no harm. Even the 12 bits of the unix crypt
password helps a lot.
Decide for yourself.
Note one of the other primary uses is to prevent an attacker from knowing
that a user has the same password on two different systems. Since you are,
for some weird reason, rolling your own, that is not a problem.
I've been thinking that can been set a salt size according to password
entropy to obtain a security level choosen of 128-bits or 64 bits.
On Jul 16, 3:49*pm, Unruh <unruh-s...@physics.ubc.ca> wrote:
> OK, then as I have said, the salt is there to prevent precompiled
> dictionary attacks on your system. 128 bit salt is way overkill.
> It also does no harm. Even the 12 bits of the unix crypt
> password helps a lot.
> Decide for yourself.
>I've been thinking that can been set a salt size according to password
>entropy to obtain a security level choosen of 128-bits or 64 bits.
No. The salt is common knowledge. It cannot change the security level.
>On Jul 16, 3:49=A0pm, Unruh <unruh-s...@physics.ubc.ca> wrote:
>> OK, then as I have said, the salt is there to prevent precompiled
>> dictionary attacks on your system. 128 bit salt is way overkill.
>> It also does no harm. Even the 12 bits of the unix crypt
>> password helps a lot.
>> Decide for yourself.
Salt size 
Linear Mode
