smartcardguy,
Should the salting scheme be disclosed to the public?
Disclosing it would certainly provide the attacker with easier cracking, but using salting would generally mean rainbow tables are pointless, no?
Should the salting scheme be disclosed to the public?
Disclosing it would certainly provide the attacker with easier cracking, but using salting would generally mean rainbow tables are pointless, no?
The scheme being public isnt a problem, there is little security in obscurity. IMHO a modern system that relies on passwords should use at least 128bit random salt per password, that salt can simply be stored in the clear with the salted hash as this simply increases the size of the precomputed hash table necessary to look up the clear text password and doesnt require any special protections.
Other things that should be considered in such systems is segmenting out the privliges necessary to perform the authentication from those necessary to perform transactions; this means you can have role seperation and you can let auditors look at your financial data without having to wory about them having access to your account table
