[Owncloud] Salt
Thomas Tanghus
thomas at tanghus.net
Fri Jun 8 09:34:02 UTC 2012
On Friday 08 June 2012 11:11 Klaas Freitag wrote:
> On 08.06.2012 10:40, Thomas Tanghus wrote:
> > On Friday 08 June 2012 10:15 Andreas Schneider wrote:
> >> You know there is this rocket sience technology from the 70ies. It is
> >> called salt in cryptography. I suggested several times to use salting in
> >> owncloud but we still don't have it.
> >>
> >> First linkedin:
> >> http://www.h-online.com/security/news/item/LinkedIn-confirms-that-user-
> >> passwords-were-compromised-1612554.html
> >>
> >> then last.fm:
> >> http://www.lastfm.de/passwordsecurity
> >>
> >>
> >> next: your owncloud installation ...
> >
> > Now I don't know much about cryptography, but I read the code, followed
> > the
>
> > password, and to me it looks like you're spreading FUD:
> This is not spreading FUD, we have to be careful here. Crypto that only
> uses randoms from the same machine is not secure per definition AFAIK.
I respond like that to undocumented, melodramatic mails in the morning ;-)
> The problem is: IF somebody gets the content of the database for
> whatever reason, it should be as difficult as possible to reconstruct
> the passwords used as users tend to use passwords multiple.
>
> I think we always should strive for the best possible solution in this
> areas.
Obviously we should. And while we are working out the perfect solution, we
are using a library that has been thoroughly tested and is generally recommended:
http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php
--
Med venlig hilsen / Best Regards
Thomas Tanghus
More information about the Owncloud
mailing list