Hash and Salts

  • SpooF
  • ٩๏̯͡๏۶
  • Bronze Member
  • User avatar
  • Posts: 3422
  • Loc: Richland, WA

Post 3+ Months Ago

So salting just makes things a little slower for someone you has gained access to your database. Instead of using a standard rainbow table they would have to generate a new one for the salt. Also if you use a different salt for each user it requires just that much more time to gain access to all the passwords.

Now when ever people talk about salts they always use a column in their table called `salt` to me it sounds kind of stupid to use something like that.

I was thinking about how else to do hashes and I came up with this idea. Really it comes down to using an algorithm to generate the hash. If someone gains access to your source then your out of luck again though.

PHP Code: [ Select ]
hash_arr = array();
for($i=0;$i<strlen($pwd);$i++)
{
        array_push($hash_arr, sha1($pwd[$i]);
}
 
$hash = sha1(implode($hash_arr));
 
 
  1. hash_arr = array();
  2. for($i=0;$i<strlen($pwd);$i++)
  3. {
  4.         array_push($hash_arr, sha1($pwd[$i]);
  5. }
  6.  
  7. $hash = sha1(implode($hash_arr));
  8.  
  9.  


Where $pwd is a string to hash.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • AdamC
  • Beginner
  • Beginner
  • User avatar
  • Posts: 38

Post 3+ Months Ago

I'm not sure about how salts and hashes work, but does your script work with existing algorithms like md5?
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6241
  • Loc: Seattle, WA

Post 3+ Months Ago

SpooF wrote:
Now when ever people talk about salts they always use a column in their table called `salt` to me it sounds kind of stupid to use something like that.

This is news to me; I've always seen it to be common practice to use other parts of the data (a combination of other fields, for example) as the salt. I've never seen anyone store a "salt" value. Like you said, that would be pretty pointless.
  • Nightslyr
  • Proficient
  • Proficient
  • Nightslyr
  • Posts: 283

Post 3+ Months Ago

FWIW, using a member's registration timestamp as a salt is pretty common. It's unique, and unique to each user. Even better, if you keep that date hidden to everyone except that user when viewing the profile, it's impossible to guess. No one's going to want to brute force every second from the epoch.
  • nightimedweller
  • Newbie
  • Newbie
  • nightimedweller
  • Posts: 7

Post 3+ Months Ago

This is a standard way of hashing a string with with salt it pretty much protects against most rainbow tables
$salt = substr(str_shuffle('0123456789abcdefghijklmnopqrstuvwxyz'), 0, 12);

The main point is for the salts to be like you said DIFFERENT for each record, so that a single rainbow table won't compromise the whole table of passwords. The "strength" of the salts isn't as important.

Post Information

  • Total Posts in this topic: 5 posts
  • Users browsing this forum: No registered users and 60 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.