Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] salt question

Most excellent answers!  I grok it now.


Eric Chadbourne

------ Original Message ------
From: "Dr. Anthony Gabrielson" <agabrielson1 at>
To: "Eric Chadbourne" <eric.chadbourne at>
Sent: 10/21/2013 12:23:45 PM
Subject: Re: [Discuss] salt question
>On Oct 21, 2013, at 11:22 AM, Eric Chadbourne 
><eric.chadbourne at> wrote:
>>  Hi,
>>  I have a basic question about salt.
>>  I was reading this:
>>  And don't quite understand this line:
>>  "Salts are normally stored along with the hashes. They are not 
>>  So if they are not secret what is the advantage if your site is 
>>exploited? Such as if the salt is stored in a config file couldn't the 
>>attacker utilize this with his rainbow tables? Also I see in PHP 
>>crypt() you don't have to supply a salt. How does that work? Is there 
>>a distinct salt per hash, and if yes, where is this stored?
>>  I have a log in system I wrote myself with sha1 but from everything 
>>I've been reading this seems inadequate.
>>  Thanks for any tips!
>>  --
>>  Eric Chadbourne
>Hi Eric,
>  Think of salt as a multiplier which makes (pre-computed) rainbow table 
>generation more complicated. When verifying a password, the equation is 
>straightforward: crypt(salt, passwd_to_verify) == stored_passwd_hash. 
>The original salt idea was to make it difficult for attackers because 
>it should take a certain amount of time to compute a hash and the 
>amount of space to store pre-computed rainbow tables for all salt 
>values would be preventive. In reality storage space has dropped in 
>price considerably and the rainbow table generation process is really 
>easy to solve with a cluster; I know more than a few people 
>continuously generating rainbow tables across all salt values. It is 
>still better to use salt because there isn't a good alternative without 
>going to Multi Factor Authentication.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /