Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] salt question



Hi,

I have a basic question about salt.

I was reading this:
http://www.openwall.com/articles/PHP-Users-Passwords

And don't quite understand this line:
"Salts are normally stored along with the hashes. They are not secret."

So if they are not secret what is the advantage if your site is 
exploited?  Such as if the salt is stored in a config file couldn't the 
attacker utilize this with his rainbow tables?  Also I see in PHP 
crypt() you don't have to supply a salt.  How does that work?  Is there 
a distinct salt per hash, and if yes, where is this stored?

I have a log in system I wrote myself with sha1 but from everything I've 
been reading this seems inadequate.

Thanks for any tips!

--
Eric Chadbourne
http://theMnemeProject.org/




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org