Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming What exactly does password hashing and salting protect against?
What exactly does password hashing and salting protect against?
  • El Forum
    Guest
  •  
#5
01-06-2010, 05:48 PM

[eluser]n0xie[/eluser]
This should make a lot clear: http://chargen.matasano.com/chargen/2007...out-s.html

Quote:As I see it, salting and hashing would mean that the passwords in the database are safe even if the database falls into the wrong hands.

(Though if someone gets unauthorised access to your database, you’ve got bigger problems anyway, I’d imagine.)
Correct on both accounts.

Quote:But in terms of protecting against a dictionary/brute force/guesswork attack, what do you gain?
Nothing, your assumptions is correct.

The purpose of a salt is not to make guessing harder, it's to make rainbow tables ineffective. There is a big difference.

Quote:IMO, the salt should NEVER be stored in the database as if someone got access to your table then the salt would mean nothing.
That's not how salting works. The point is that it is irrelevant what the salt is. The only reason to use salts is to prevent the generated hash from being predictable. So even if they have the salt, generating rainbow tables would still take too long. So saving the salt in the database is not an issue. Obviously it would be safer to store them somewhere else, but if your database is compromised, your system will probably be compromised anyway, so there really is no safe/convenient way to store salts.

Quote: Instead, I for example use a script which chooses a certain length of string from the password they typed, md5 it and then concatanate that with some random characters (. ? / !) etc..
[/quote]
That's not random. If the 'algorithm' of your script gets compromised, you basically compromised your entire dataset, since it uses a predictable outcome: every password goes through the same 'function'. Generating a rainbowtable once this piece of info is known is trivial.

Quote:Similarly, when a user is just signing in, the salt would help as the rainbow table attack would fail and it would take far too long for a potential hacker to get onto the system.
If you mean that your salt is protecting against a brute-force login attempt, I dare say you are wrong. Whenever a bot tries to log in, it will be send to your 'obfuscate' function which generates a salt just like it would for a normal user. If the bot guesses the password correctly nothing in your salting system would stop it.

I go into more detail on the subject in this long post.


Messages In This Thread
What exactly does password hashing and salting protect against? - by El Forum - 01-06-2010, 05:48 PM



Theme © iAndrew 2016 - Forum software by © MyBB