+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: Fixed salt vs. random salt in Community Auth (/showthread.php?tid=52760)
Fixed salt vs. random salt in Community Auth - El Forum - 06-25-2012
[eluser]skunkbad[/eluser]
Somebody posted an issue at the Community Auth repo on bitbucket, and I just wanted to get some visibility and opinions on the issue:
#5 Password encryption is fundamentally flawed
Basically, the concern is that a fixed salt is "fundamentally flawed", and a recent attack on linkedIn is referenced. What I found when searching for information was that linkedIn did not salt their passwords at all, and they were getting sued for $5M as a result.
Community Auth has always salted user passwords, and I've never heard of a fixed salt as being insufficient or "fundamentally flawed".
Before posting this, I updated Community Auth to use a random salt, and the fixed salt was retained, so user passwords are now salted twice. Pretty salty if you ask me.
So what is the truth? Is basic salting with a fixed salt not good enough?
Edit: I just updated the temporary registration data to use a random salt for that password, so there are no instances of passwords being saved that don't use a random salt.
Fixed salt vs. random salt in Community Auth - El Forum - 06-25-2012
[eluser]Jason Hamilton-Mascioli[/eluser]
Additional security is always welcome. Not sure if its necessary for most websites but up-and-coming and major sites should adopt random salting.
Fixed salt vs. random salt in Community Auth - El Forum - 06-26-2012
[eluser]Patrick Spence[/eluser]
[quote author="skunkbad" date="1340648284"]
Community Auth has always salted user passwords, and I've never heard of a fixed salt as being insufficient or "fundamentally flawed".
Before posting this, I updated Community Auth to use a random salt, and the fixed salt was retained, so user passwords are now salted twice. Pretty salty if you ask me.
So what is the truth? Is basic salting with a fixed salt not good enough?
[/quote]
From what I understand.. using no salt, means its easier to do a rainbow table attack, using a single salt for all passwords, means they just have to have a single set of rainbow tables for that dataset.. but having a new salt for everyone means that no one rainbow table can be used for the whole site, requiring a new table for each.
You can read about rainbow tables here: http://en.wikipedia.org/wiki/Rainbow_table
One key sentence from that article is this:
Quote:The salt value is not secret and may be generated at random and stored with the password hash. A large salt value prevents precomputation attacks, including rainbow tables, by ensuring that each user's password is hashed uniquely. This means that two users with the same password will have different password hashes (assuming different salts are used).
So I would recommend a salt per user. That is how I do it with my auth system. If you really want to get plucky, you can add a sitewide salt, though I don't know how much that might improve security.
Fixed salt vs. random salt in Community Auth - El Forum - 06-26-2012
[eluser]skunkbad[/eluser]
This is what I ended up doing:
Code:
public function hash_passwd( $password, $random_salt )
{
if( CRYPT_BLOWFISH == 1 )
{
return crypt( $password . $this->CI->config->item('encryption_key'), '$2a$07$' . $random_salt . '$' );
}
return sha1( $random_salt . $password . $this->CI->config->item('encryption_key') );
}So I'm using a random salt and a fixed salt. Apparently blowfish/bcrypt is better, so if it is available that is the default. Haven't had more time to play around with it, but if you have any suggestions let me know.
Fixed salt vs. random salt in Community Auth - El Forum - 06-26-2012
[eluser]InsiteFX[/eluser]
This is what I created and use similar to skunkbad's but uses hash with SHA512
Code:
// ------------------------------------------------------------------------
/**
* gen_hash()
*
* Hashes the password and CI 32-bit encryption key
* using SHA-512. I place this in my user_model.
*
* You can also pass in the password field to
* this method to generate the encryption key then return the value.
*
* NOTE: The Database password field needs to be varchar(128)
* Can also be used for generating hash for other values.
* You can also pass a second parameter to this method if needed.
*
* @access public
* @param string - $str_1 - default value
* @param string - $str_2 - optional value
* @retrun string - the 128 char encrypted string
*/
if ( ! function_exists('gen_hash'))
{
function gen_hash($str_1, $str_2 = '')
{
$_ci = get_instance();
return hash('SHA512', $str_1 . $str_2 . $_ci->config->item('encryption_key'));
}
}