Never link http://yoursite.com/foo/bar/x to:
A) plain http://static.yoursite.com/foo_bar_x.ext
B) Never use plain hashes of the ID. e.g. .../hash_of_id_here.ext
C) Borderline, but even static salts are bad: .../hash_of_id_plus_'foobar'_here.ext
Basic is, use a variable salt for every item. It can ever be public info, like the title, creation time, or anything that varies sufficiently per-item. That's the beauty of salts.
Or, alternatively, as better people than I have mentioned, use bcrypt with a set difficulty value, and all your rainbow table type fears go away.
Friday, December 14, 2007
When you're serving static files...
Posted by Justin George at 12:09 AM
Labels: hash functions, hashes, security
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment