WEP 100: Password generation from passphrase
11 views
Skip to first unread message
pvncad
Dec 4, 2009, 1:22:38 AM12/4/09
to mozilla-labs-weave-dev, an...@mozilla.com
Ref: https://wiki.mozilla.org/Labs/Weave/WEP/100
Hi,
I am working with Anant to implement this WEP and had following
doubts.
I am thinking the adding "salt" to passphrase while auto-generating
password and providing a way to access this salt to public (as weave
clients should have this salt before logging into the weave server.
By storing this info at weave server, we are going to give some extra
info (digest and part of the input used to generate this digest) to
recreate the passpharse.
So, I will that we can get the same degree of security without using
the salt also. Please let me know if I am missing something in
understanding the rationale behind using salt.
Cheers.
Hi,
I am working with Anant to implement this WEP and had following
doubts.
I am thinking the adding "salt" to passphrase while auto-generating
password and providing a way to access this salt to public (as weave
clients should have this salt before logging into the weave server.
By storing this info at weave server, we are going to give some extra
info (digest and part of the input used to generate this digest) to
recreate the passpharse.
So, I will that we can get the same degree of security without using
the salt also. Please let me know if I am missing something in
understanding the rationale behind using salt.
Cheers.
Dan Mills
Dec 8, 2009, 4:13:54 PM12/8/09
to mozilla-lab...@googlegroups.com
Without a salt, an attacker can create tables that will easily map
passphrases to their hashed representations. That is bad.
With a salt, even if the salt is known, the attacker does not know
what the passphrase is--they have to brute-force the hash.
Dan
> --
>
> You received this message because you are subscribed to the Google Groups "mozilla-labs-weave-dev" group.
> To post to this group, send email to mozilla-lab...@googlegroups.com.
> To unsubscribe from this group, send email to mozilla-labs-weav...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/mozilla-labs-weave-dev?hl=en.
>
>
>
passphrases to their hashed representations. That is bad.
With a salt, even if the salt is known, the attacker does not know
what the passphrase is--they have to brute-force the hash.
Dan
>
> You received this message because you are subscribed to the Google Groups "mozilla-labs-weave-dev" group.
> To post to this group, send email to mozilla-lab...@googlegroups.com.
> To unsubscribe from this group, send email to mozilla-labs-weav...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/mozilla-labs-weave-dev?hl=en.
>
>
>
Reply all
Reply to author
Forward
0 new messages