Home Forums Article Discussions Article Discussions by Author Discuss Content Posted by Yaroslav Pentsarskyy Preventing Identity Theft Using SQL Server RE: Preventing Identity Theft Using SQL Server

  • September 21, 2006 at 3:10 pm

    #661866

    @conficius247, you said:

    "And the secret/salt to the hash generation process will be the order that you put the data together."

    If you think about the issue of salt from an abstract perspective, using the order in which data is put together as salt can essentially be thought of as implementing table level security - once you crack the algorithm (which is the order in which the data is arranged), you have access to all the hashes that use it.

    On the other hand, the abstract equivalent of using random values as salt is row level security - even if you figure out the salt for a single hash, it cannot be used on any other hash since the salt varies from hash to hash.

    This abstract argument is similar to the rationale for having the scheme generate a hash for each user based on the combination of what they enter and the page where they entered it as opposed to just generating a single hash based on just the source page used to enter the data that is then used for all users.

    - Steve