[Owncloud] Salt
Thomas Tanghus
thomas at tanghus.net
Fri Jun 8 09:54:48 UTC 2012
On Friday 08 June 2012 11:29 Andreas Schneider wrote:
> On Friday 08 June 2012 10:40:57 Thomas Tanghus wrote:
> > On Friday 08 June 2012 10:15 Andreas Schneider wrote:
> > > You know there is this rocket sience technology from the 70ies. It is
> > > called salt in cryptography. I suggested several times to use salting in
> > > owncloud but we still don't have it.
> > >
> > > First linkedin:
> > > http://www.h-online.com/security/news/item/LinkedIn-confirms-that-user-
> > > passwords-were-compromised-1612554.html
> > >
> > > then last.fm:
> > > http://www.lastfm.de/passwordsecurity
> > >
> > >
> > > next: your owncloud installation ...
> >
> > Now I don't know much about cryptography, but I read the code, followed
> > the
> > password, and to me it looks like you're spreading FUD:
> >
> > https://gitorious.org/owncloud/owncloud/blobs/master/3rdparty/phpass/Passw
> > or dHash.php#line208
>
> I don't see a salt stored next to the password hash in the database, do you?
As I said I don't know much about cryptography or the difference between
stored salts and generated salts - I actually flunked in it, so I leave the
implementation to the experts; would that be you?
What I do know is the reaction when such posts hits e.g. IRC, I actually
noticed it this morning.
But it is good that you take up the subject, and I'm looking forward to seeing
the ûber secure solution for ownCloud.
--
Med venlig hilsen / Best Regards
Thomas Tanghus
More information about the Owncloud
mailing list