Please create an account to participate in the Slashdot moderation system


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Hey Wordpress... (Score 1) 103

I don't know that the statement "the salt will always be known" is a valid one. The fact that it's different for each password is what makes it secure.

The statements "the salt will always be known" and "it's different for each password" aren't mutually exclusive. You can have a unique salt for each user / password and still always know the salt for each of those users.

Also, in the case of Wordpress, I imagine the only password an attacker would be interested in would be that of an admin. Presumably you wouldn't be trying to brute force every single users password on a Wordpress installation, anyway. Of course, then again, I'm not sure non-admins have a reason to have an account, anyway, since most Wordpress installs allow unauthenticated users to comment.

Comment Re:Hey Wordpress... (Score 1) 103

Salted passwords have nothing to do with what essentially is the same thing as obfuscating banners on web or mail servers. Salted passwords significantly improve security.

Do you even know what a salted password is? Instead of brute forcing hash(password) you brute force hash(salt + password). Since the salt is always going to be known, brute forcing hash(salt + password) takes no more time then brute forcing hash(password). All it protects against are run-of-the-mill rainbow table attacks

Obfuscating banners only adds a trivial amount of work to determine the version a server is running.

I assume you're referring to the capability testing that the post mentioned? Tell me - did 2.8.4 even introduce new capabilities? If so, then, presumably, it should have been numbered 2.9.0 - not 2.8.4. And if they didn't add new capabilities, then capability testing wouldn't allow an attacker to figure out if you were running a vulnerable version or not,'s comments notwithstanding.

Comment add more commercials (Score 1) 313

TV networks generally have 15 minutes of commercials for every 45 minutes of programming and as loathsome as having that many commercials may be, I'd, personally, rather have that than have to pay $20.00 / month or whatever. And I don't see pirating as a viable alternative, either - however unjustified the penalties for copyright violation may be, the fact remains that if you get caught, you're liable to be fined several thousand dollars.

Slashdot Top Deals

"If the code and the comments disagree, then both are probably wrong." -- Norm Schryer