Page 1 of 1

How do I salt & pepper passwords?

Posted: Sun Oct 05, 2008 4:26 am
by JAB Creations
First off I read this thread by Mordred which I think was awesome. I've been working on a lot of authentication related stuff and I'm far from posting anything live or in the critique forum for a while however it's now or never with securing passwords on my test databases.

I think I grasp the fundamental aspects of salt and pepper. In my head at least I'm thinking a universal salt in PHP and a per user pepper obviously stored in the MySQL database. I just am not sure what code /functions are used to add the salt and pepper?

Here is an example of a SHA256 Hash...

Code: Select all

hash("sha256", $data, false);
...what would I do to add $salt and $pepper to it?

Re: How do I salt & pepper passwords?

Posted: Sun Oct 05, 2008 4:35 am
by Mordred
Any way you like, as long as all three values enter the hash; even string concatenation will do:

Code: Select all

hash("sha256", $salt.$data.$pepper, false);

Re: How do I salt & pepper passwords?

Posted: Sun Oct 05, 2008 4:43 am
by JAB Creations
The hash part I wasn't sure about however the concatenation obviously makes sense.

Thanks for your reply and the other thread that you started! I've actually have been thinking about creating a column count that counts unsuccessful authentication attempts and freezes the account for administrative review as a way to prevent brute forcing on my site. Then if (because of the fact that bots don't need to jump through loops) if the bot is still posting authentication where for example a user would not have the GUI capability to do so in the browser I could add the IP to a freeze or suspect list. There are just endless ways to determine abuse through various patterns. :)

Re: How do I salt & pepper passwords?

Posted: Sun Oct 05, 2008 4:50 am
by arjan.top
I would go the "google" way, not locking the account ...

just show captcha after many unsuccessful authentication attempts

Re: How do I salt & pepper passwords?

Posted: Sun Oct 05, 2008 5:20 am
by JAB Creations
There are two reasons I won't...

1.) I am interested in designer development. Developers make code that does stuff, designers take something and make it so that it does it in the way you want. Therefor as users encounter errors or dead ends where I fail to take certain circumstances in to consideration I can adapt my work/site as so catching more people in the future with every instance. I usually code this way to begin with and while even the most indepth coders will still have some holes in their code I can at least become aware of any issues by having my code make me aware of where it's own short-comings are.

2.) Google? That's like saying I should use Internet Explorer the browser in the day and age where security holes are found in literally hours of software release ...when it didn't change for five years and had a 99% market share; both share a universal and thus very high market shares. Why would I want to use the absolute most targeted methods being target by hackers to prevent...hacking?