[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Re: Information
From:       florio licia <florio () OMEGA ! IT>
Date:       2001-09-11 9:53:22
[Download RAW message or body]


Miro Masnoglav wrote:

> Append secret key to clear password before hashing. You can avoid dictionary
> attack(hashing all posible passwords and check the result)  that way.
>
> Regards Miro
>

Hi Miro,
thanks for your answer. I have only a problem doing this: I don't have a secret
key (I've used a Java function that does everything; I mean the function calls
the sha algorithm, and so on).
On a side I have the user password stored into a database (in the way I
described); when a user try to log on, the servlet reads the password, use sha
function and encodes the result in base64. At this point the servlet compares
the base64 string got with the one into the database.

Regards,
Licia

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM

[prev in list] [next in list] [prev in thread] [next in thread]