5 Replies - 970 Views - Last Post: 25 February 2012 - 06:40 AM Rate Topic: -----

#1 AliumOnions  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 6
  • Joined: 21-March 09

Salts Best Practice - Random vs Reproducible

Posted 25 February 2012 - 05:46 AM

I'm implementing a (hopefully) secure login and I'm adding a salt to my users' passwords before hashing but I'm not sure about the best practice for determining the salt. I've looked around a bit online and many people give advice about salting using a random number but don't go into much detail about how it will be used in authentication.

With a randomly generated salt, would you need to store the random salt somewhere such as a database so you have it available to authenticate when the user logs in? I'm assuming this would involve pulling the username, looking the stored salt up in the database, returning it to my PHP authentication script, and then using it to hash the password and then finally compare that hash with the hashed password in the database. I'm wondering though, is having the salt stored in any way a security hole? Or have I made the wrong assumption about how a random salt is stored/used?

As opposed to storing a salt, is a reproducible salt (one that can be regenerated for each user via the PHP script) a valid alternative? For example, something like a substring of another hash algorithm or a homemade function that returns a random-looking but reproducible string based on the username? Or is having anything but a random salt make it too easy to crack?

Thanks in advance!

Is This A Good Question/Topic? 0
  • +

Replies To: Salts Best Practice - Random vs Reproducible

#2 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3481
  • View blog
  • Posts: 10,033
  • Joined: 08-June 10

Re: Salts Best Practice - Random vs Reproducible

Posted 25 February 2012 - 05:59 AM

View PostAliumOnions, on 25 February 2012 - 01:46 PM, said:

I'm wondering though, is having the salt stored in any way a security hole? Or have I made the wrong assumption about how a random salt is stored/used

you have a wrong assumption what a saltís purpose is. a cryptographic salt (in web apps) is mainly used for preventing hash table look-ups (resp. dictionary attacks) (ref.). using a salt along with the data (pass phrase) a) makes sure your hashed phrase ainít already stored in some rainbow table and b) (if you have a different salt for each user) requires the attacker to compute the hash for every user (which takes considerably more time to get a match as if every user used the same salt).

This post has been edited by Dormilich: 25 February 2012 - 06:00 AM

Was This Post Helpful? 2
  • +
  • -

#3 AliumOnions  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 6
  • Joined: 21-March 09

Re: Salts Best Practice - Random vs Reproducible

Posted 25 February 2012 - 06:22 AM

Ok so then if I understand correctly, it doesn't really matter if it's random or reproducible, as long as it's random-looking enough that it won't be in a rainbow table? And you're confirming that it's good to get a different salt for each user, so I'll keep doing that.
Was This Post Helpful? 0
  • +
  • -

#4 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3481
  • View blog
  • Posts: 10,033
  • Joined: 08-June 10

Re: Salts Best Practice - Random vs Reproducible

Posted 25 February 2012 - 06:26 AM

(truly) random salts are better than only randomly looking ones (is there a difference?) because they increase Entropy.
Was This Post Helpful? 1
  • +
  • -

#5 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6036
  • View blog
  • Posts: 23,421
  • Joined: 23-August 08

Re: Salts Best Practice - Random vs Reproducible

Posted 25 February 2012 - 06:38 AM

Here's a post I made a while back for hashing passwords with a random salt. It leverages the fact that the hash generated by an algorithm is always the same length and generates a random salt, prepending it to the hashed password.
Was This Post Helpful? 0
  • +
  • -

#6 AliumOnions  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 6
  • Joined: 21-March 09

Re: Salts Best Practice - Random vs Reproducible

Posted 25 February 2012 - 06:40 AM

Ah ok, I getcha. Thanks for the help and clarification!
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1