Re: Seeking advice on security best practice

On 23 Jan 2009, at 14:55, Mary Ellen Zurko wrote:

> > 1. What are the main dangers associated with the use of hashed
> > credentials? Identity spoofing?
> Hashing doesn't ensure a unique value, does it? So I presume in the  
> backend there's some hash table that tracks state and deals with  
> conflicts by trying some new has. I thought the security properties  
> of hashes were that it would be hard to find a second text that  
> hashes to the same value. Not sure how hard it is to come up with  
> something that hashes to some randomly useful identity. Seems like a  
> danger to me, but ianac.

Well, once you choose enough bits for your hash, that's not the  
problem.  (With a hash table, you aim at a small number of bits to  
keep the table small.)

The real trouble is that you don't want the token to be password- 

Received on Friday, 23 January 2009 13:59:45 UTC