Question about Salts

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Kivork
Forum Newbie
Posts: 4
Joined: Sun Jun 29, 2008 6:38 pm

Question about Salts

Post by Kivork »

Hi, I'm new to php abd was reading about salts and hashes.

As I understand it, the reason for a salt is to make it harder for someone to crack a hashed password in the event they manage to steal that hash. But if you store the salt in a database as well, then couldn't the person who stole the password simply steal the salt also, and then what would be the point of it.

This is probably a really stupid question, I think I'm missing something that is preventing me from understanding it.

Any help would be apreciated.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Question about Salts

Post by Eran »

The point is that each password has a unique salt making it impossible to attack all the password in a table at the same time, and also to foil dictionary attacks by adding a non-dictionary word to the hashing process. An attacker would have to break each password individually, since they are hashed differently - two identical passwords will have two different hashes and so forth.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Question about Salts

Post by Mordred »

Additionally, if you use TWO salts (aka "salt and pepper"), one in the database (unique per user) and one hardcoded in the source you would make it greatly harder (nearly "impossible") to crack ANY password. I've explained the details in a paper (still in "draft" stage) here: viewtopic.php?t=62782
Post Reply