Password hasing and salts

  • SpooF
  • ٩๏̯͡๏۶
  • Bronze Member
  • User avatar
  • Posts: 3423
  • Loc: Richland, WA

Post 3+ Months Ago

For anyone that doesn't know what a salt is you can read a little on Wikipedia

Theres quite an interesting conversation over at the CodeIgniter boards about hasing and salts. I figured I would bring it over here and see what the Ozzu community has to say about them.

You can read whats been said at the CodeIgniter community here.

Basically they are talking about how you should use salts to protect your users passwords.

Anyone one have an options about hashing and salts?

My personal thoughts are they you should be more concerted about protecting your database and source code than how you should be using salts. A "simple" salt is extreme effective if the attacker doesn't know how your using it or what it is.

If I was really paranoid I would generate a mutating salt. whether thats every time a user logs in, the database hash and salt is update or if I have a continue process that updates the hash and salt every 5 minutes. If someone can rainbow table a password in under 5 minutes more power to them, but before they even generate a rainbow table they have to get to my source and my database.
  • joebert
  • Genius
  • Genius
  • User avatar
  • Posts: 13511
  • Loc: Florida

Post 3+ Months Ago

The only way I could see a mutating salt work is if the salt were updated immediately after a successful login. For instance the submitted password would have the current salt applied, the login would be checked, and if valid a new salt would be generated right then and there before applying it to the password and saving the new hash.

Otherwise you'ld have to store the plain text password somewhere.

Post Information

  • Total Posts in this topic: 2 posts
  • Users browsing this forum: No registered users and 31 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum

© 1998-2017. Ozzu® is a registered trademark of Unmelted, LLC.