On Mon, 2007-01-01 at 07:43 -0800, Ryan Roth wrote:
> I can change it if that is what people want. I personally like not
> having blatant visible usernames or passwords in plain text files.
The model from the beginning of time has always been that usernames are
not secret. I think changing that for the sake of being clever is
probably a bad idea. I think in the best case you won't be helping
security, and in the worst case would be hurting it.
Everybody knows usernames are stored in the clear. If you're worried
that your username leaks something personal, choose a different
username.
> When comparing given password to stored password how do you use the same
> salt if it is random? Or is at random salt for that machine?
The salt is stored along with the crypted output:
[EMAIL PROTECTED] ~]$ python -c 'from crypt import crypt; print crypt("mypass",
"$1$somesalt$")'
$1$somesalt$YNyB7foQZZvxHOICTr52H.
(somesalt could be derived from /dev/urandom.) So when you want to
compare user input, you parse the salt from the front of the stored
password hash, and feed that back into crypt() with the user-supplied
password and see if the results match.
Cheers,
Jason.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
