Re: Newbie Salt and Pass Phrase Question.




Larry Lindstrom wrote:
<snip>
If that's the case, will it be secure to generate one
salt for my application and use the same salt for every
user?

That would solve the problem.

This has already been answered in brief, but remembering the
¨newbie¨ in the subject line i´ll expand a little bit ;)

The basic purpose of a salt, is, as has been mentioned, to make
pre-computing simple passwords (such as dictionary words) and then
comparing them to the hashes stored in your database much more
difficult. Say twenty of your users choose the password ¨password¨
(just for an example, anything common really). Without salts it is
trivial for the attacker to compare these hashes to his precomputed
list, which is sure to contain such a simple word, and suddenly he has
their passwords. On the other hand, with unique salts, all of those
twenty hashes would be different, and the attacker would have to
individually attack each hash instead of whipping up a quick program to
do it to millions while he watches Star Trek re-runs (and this is even
if the salts are not secret...secret salts could even further
complicate individual hash cracking). So having unique salts is crucial
to the entire thing.

You could, of course, just remind your users to choose complex
alphanumeric passwords that bear no relation to words in any language,
but I would advice against leaving that in the hands of the users, and
really try to generate good unique salts for each user.

.