Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
"Eric Chadbourne" <eric.chadbourne at gmail.com> writes: > Hi, > > I have a basic question about salt. > > I was reading this: > http://www.openwall.com/articles/PHP-Users-Passwords > > And don't quite understand this line: > "Salts are normally stored along with the hashes. They are not secret." > > So if they are not secret what is the advantage if your site is > exploited? Such as if the salt is stored in a config file couldn't > the attacker utilize this with his rainbow tables? Also I see in PHP > crypt() you don't have to supply a salt. How does that work? Is > there a distinct salt per hash, and if yes, where is this stored? > > I have a log in system I wrote myself with sha1 but from everything > I've been reading this seems inadequate. The advantage is that it prevents certain types of dictionary attacks. It does this because the same password generates a different hash when hashed with different salts. So if you and I both use password xxxxxx they wont hash to the same target in the database. So if someone gets a copy of the database they wont be able to see that you and I have the same password. Moreover, they wont be able to quickly see that you happen to use the same password on a dozen different sites, because each salt would be different so the hashes would all be different. In general the salt is unique per user. A global salt would at least help across multiple sites on different services. If you don't use a salt then it's a direct hash of your password, which would be the same as if there were a globally constant salt. > Thanks for any tips! Hope this helped? > -- > Eric Chadbourne > http://theMnemeProject.org/ -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord at MIT.EDU PGP key available
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |