Re: Newbie Salt and Pass Phrase Question.




Larry Lindstrom wrote:
<snip>
If that's the case, will it be secure to generate one
salt for my application and use the same salt for every
user?

That would solve the problem.

This has already been answered in brief, but remembering the
¨newbie¨ in the subject line i´ll expand a little bit ;)

The basic purpose of a salt, is, as has been mentioned, to make
pre-computing simple passwords (such as dictionary words) and then
comparing them to the hashes stored in your database much more
difficult. Say twenty of your users choose the password ¨password¨
(just for an example, anything common really). Without salts it is
trivial for the attacker to compare these hashes to his precomputed
list, which is sure to contain such a simple word, and suddenly he has
their passwords. On the other hand, with unique salts, all of those
twenty hashes would be different, and the attacker would have to
individually attack each hash instead of whipping up a quick program to
do it to millions while he watches Star Trek re-runs (and this is even
if the salts are not secret...secret salts could even further
complicate individual hash cracking). So having unique salts is crucial
to the entire thing.

You could, of course, just remind your users to choose complex
alphanumeric passwords that bear no relation to words in any language,
but I would advice against leaving that in the hands of the users, and
really try to generate good unique salts for each user.

.



Relevant Pages

  • RE: Rainbow Tables
    ... Fortunatly for this project we are only doing LM passwords, all on Windows machines. ... > the hashes and the cracked clear text and merge them into a table? ... have 4096 salts that are possible per password. ...
    (Pen-Test)
  • Re: Newbie Salt and Pass Phrase Question.
    ... pre-computing simple passwords and then ... On the other hand, with unique salts, all of those ... complicate individual hash cracking). ... pass phrase, and not share. ...
    (sci.crypt)
  • Re: Apache web server 2.2: htpasswd predictable salt weakness
    ... PW> - Salts created by htpasswd are very predictable. ... PW> should be used for MD5. ... protects against rainbow tables attacks in case stored passwords are ... that is salt is known to attacker. ...
    (Bugtraq)
  • Re: What is md5sum?
    ... and what were the salts? ... Otherwise this is another urban ... one of my friends once found two passwords which had the same hash ...
    (comp.os.linux.setup)
  • RE: Values to use for a salt?
    ... Using salts means the ... > attacker must compute all possible values of the password in the ... dictionaries virtually useless. ... Ton Geurts ...
    (SecProg)