[Discuss] salt question
Derek Atkins
warlord at MIT.EDU
Mon Oct 21 12:04:02 EDT 2013
"Eric Chadbourne" <eric.chadbourne at gmail.com> writes:
> Hi,
>
> I have a basic question about salt.
>
> I was reading this:
> http://www.openwall.com/articles/PHP-Users-Passwords
>
> And don't quite understand this line:
> "Salts are normally stored along with the hashes. They are not secret."
>
> So if they are not secret what is the advantage if your site is
> exploited? Such as if the salt is stored in a config file couldn't
> the attacker utilize this with his rainbow tables? Also I see in PHP
> crypt() you don't have to supply a salt. How does that work? Is
> there a distinct salt per hash, and if yes, where is this stored?
>
> I have a log in system I wrote myself with sha1 but from everything
> I've been reading this seems inadequate.
The advantage is that it prevents certain types of dictionary attacks.
It does this because the same password generates a different hash when
hashed with different salts. So if you and I both use password xxxxxx
they wont hash to the same target in the database. So if someone gets a
copy of the database they wont be able to see that you and I have the
same password. Moreover, they wont be able to quickly see that you
happen to use the same password on a dozen different sites, because each
salt would be different so the hashes would all be different.
In general the salt is unique per user. A global salt would at least
help across multiple sites on different services. If you don't use a
salt then it's a direct hash of your password, which would be the same
as if there were a globally constant salt.
> Thanks for any tips!
Hope this helped?
> --
> Eric Chadbourne
> http://theMnemeProject.org/
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the Discuss
mailing list