Re: Seeking advice on security best practice

> > > 1. What are the main dangers associated with the use of hashed
> > > credentials? Identity spoofing?
> >
> > Hashing doesn't ensure a unique value, does it? So I presume in the 
> > backend there's some hash table that tracks state and deals with 
> > conflicts by trying some new has. I thought the security properties 
> > of hashes were that it would be hard to find a second text that 
> > hashes to the same value. Not sure how hard it is to come up with 
> > something that hashes to some randomly useful identity. Seems like a 
> > danger to me, but ianac.
> Well, once you choose enough bits for your hash, that's not the 
> problem.  (With a hash table, you aim at a small number of bits to 
> keep the table small.)
> The real trouble is that you don't want the token to be password- 
> equivalent.

So what is "enough bits"? The same maximum size as your identity? But why 
don't you still have the birthday problem? 
(I reiterate, ianac)

Received on Friday, 23 January 2009 14:07:12 UTC