[Owncloud] Salt

Andreas Schneider asn at cryptomilk.org
Fri Jun 8 09:41:11 UTC 2012


On Friday 08 June 2012 10:40:57 Thomas Tanghus wrote:
> On Friday 08 June 2012 10:15 Andreas Schneider wrote:
> > You know there is this rocket sience technology from the 70ies. It is
> > called salt in cryptography. I suggested several times to use salting in
> > owncloud but we still don't have it.
> > 
> > First linkedin:
> > http://www.h-online.com/security/news/item/LinkedIn-confirms-that-user-
> > passwords-were-compromised-1612554.html
> > 
> > then last.fm:
> > http://www.lastfm.de/passwordsecurity
> > 
> > 
> > next: your owncloud installation ...
> 
> Now I don't know much about cryptography, but I read the code, followed the
> password, and to me it looks like you're spreading FUD:
> 
> https://gitorious.org/owncloud/owncloud/blobs/master/3rdparty/phpass/Passwor
> dHash.php#line208

Sorry, you're right.

$2a$08$lh85qKaF6CVi.azfbThI4.qbLZK9vw0XaLHWr616JbH...

looks like the first part is the random salt and the second is the hash, but 
why isn't simply bcrypt used?

-- 
Andreas Schneider                   GPG-ID: F33E3FC6
www.cryptomilk.org                asn at cryptomilk.org




More information about the Owncloud mailing list