re: Salting
A pretty good discussion thread is posted here.
Salts serve two main purposes:
1) Stop precomputation attacks
2) Protect other accounts in case of a compromise
Before salts were used an attacker could precompue huge tables of password->hash, then flip the table and use it as a lookup table, especialyl for the "common" passwords (password,guest,admin,all dictionary words) They if they get access to a /etc/passwd file could would know all the cleartext passwords. Using a good salt makes it computational infeasible to pregenerate this table.
The other protect was along the same lines. If you don't use a hash and you and I pick the same password "Foo" it hashes to same value. Again if a attacker gets access to /etc/passwd he could see that muiltiple poeple used the same password, so if he cracks one he cracks two. Also as many people use the same password multiple places (and on different computers the same password would hash tothe same hash in the absence of a hash) compromised accoutns can easily cascade.
The PHP crypt() function by default produces a 3DES hash with a "random" 2 character salt if called with only one argument. If called with two arguements the structure of the second arguement determins the size of the salt and the hash algorithm. If the first character is not a '$', then crypt grabs the first two chracters and uses those as the 3DES salt. If the first three chracters are '$1$' then it grabs the next tweleve characters to use as the salt to a MD5 hash. If its '$2$' it grabs the next 16 characters for hte salt to a blowfish hash. (Note that blowish does not produce through base64 encoded results so you may have trouble using it someplaces).
I used crypt($stuff,'$1$'.substr(MD5(microtime() . getmypid() . sessionid()),0,12)) or similar when I'm producing the original hashed password, to compare you still use if (crypt($enteredPass,$stroredPass)==$storedPass)
Encryption
Moderator: General Moderators