[Discuss] salt question
Eric Chadbourne
eric.chadbourne at gmail.com
Mon Oct 21 11:22:30 EDT 2013
Hi,
I have a basic question about salt.
I was reading this:
http://www.openwall.com/articles/PHP-Users-Passwords
And don't quite understand this line:
"Salts are normally stored along with the hashes. They are not secret."
So if they are not secret what is the advantage if your site is
exploited? Such as if the salt is stored in a config file couldn't the
attacker utilize this with his rainbow tables? Also I see in PHP
crypt() you don't have to supply a salt. How does that work? Is there
a distinct salt per hash, and if yes, where is this stored?
I have a log in system I wrote myself with sha1 but from everything I've
been reading this seems inadequate.
Thanks for any tips!
--
Eric Chadbourne
http://theMnemeProject.org/
More information about the Discuss
mailing list