Re: store salt in database


"Paul Rubin" <http://phr.cx@xxxxxxxxxxxxxx> schreef in bericht
news:7xzmfeyrb4.fsf@xxxxxxxxxxxxxxxxxxxxxx
"amygdala" <noreply@xxxxxxxxxxx> writes:
Quite a few articles on the web argue that each individual user should be
assigned a salt to hash their password with. But how would one remember
this
salt? If I was to put these salts into the records of their respective
users, and the database is compromised, the use of such individual salts
would be pointless, since a hacker knows which salt belongs to which
user,
no?

Users never have to think about the salt. The application generates a
random salt for each user, and stores it in the database (unencrypted)
as part of the user record. That is, setting a user's password works
like this:

password = <get password from user>
salt = <generate a random string>
hashed = hash_function(salt + password)
<store (salt) and (hashed) in user record>

But what then is the surplus value of the salt if it is stored in the record
of the user? To my understanding the salt is used to make it difficult to
apply 'brute force' to decypher passwords, if the database is compromised by
a hacker, right? But if a hacker knows the salt, cause it is stored in the
same record next to the hashed salt+password, applying 'brute force' to it
would just as 'easy' again, wouldn't it?


.

Relevant Pages

  • Re: Proposal for Lite Encryption for Login Form without SSL
    ... This way the password is not sent to the server ... simply copy the server-side salt used to hash the pw in the ... password in the database, it does make public the server-side salt ... This would be the equivalent to a public key in public key encryption ...
    (comp.lang.php)
  • Re: Is this secure
    ... I use SHA1 to hash my passwords. ... Both the hashed password and salt are stored in the database. ... but then i'd need the salt to create a saltedhash to compare ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: store salt in database
    ... To my understanding the salt is used to make it difficult to ... apply 'brute force' to decypher passwords, if the database is compromised by ... But if a hacker knows the salt, cause it is stored in the ... you have a database of one million users and you do ...
    (sci.crypt)
  • Re: UsernameTokenManager and a hashed password database
    ... your SALT value is the password now... ... >> should be able to reconstruct the cleartext pwd based on the 'shared ... > here and is definitely an unknown at the server-side database. ... If a hacker steals the hash from ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Simple VB.NET Web Application Encryption/Decryption of password
    ... It looks like Michael answered your second question. ... contains a hash and salt, you would return a byte array containing the hash ... SQL 6.5 (it depends on some database settings, ...
    (microsoft.public.dotnet.security)