User authentication query

[eluser]arthurhanlon[/eluser]
I wonder if anyone can shed any light on this for me?

I realise that there are many auth type libraries for Codeigniter out there and whilst they are quite full featured, I feel that they are slightly overkill for what I want and would therefore like to go about writing my own user authentication.

I am at a loss as to understand how password salting and hashing works so bear with me. I have never actually concerned myself with security such as this before since I have only really written small single user apps.

So we take a user password and then generate a random salt. We then prepend/append the salt to the password and SHA1 it presumably giving us a pretty sturdy string to store in the DB?

We then take the salt and the SHA1'd string and store both in the DB and this is supposed to make it harder to crack if the DB is stolen. I am wondering how if we are storing the salt in the DB too, surely the cracker would have ready access to the salt to recreate the password string? Or are we merely relying on the fact that it would take a pretty long tie to generate a dictionary for a brute force attack?

Forgive my apparent "noobishness" but like I say, I have never come across this before since I've never needed security and would like some of the proper security gubbins in my own user authentication.

Thanks in advance guys,
Arthur

[eluser]n0xie[/eluser]

Or are we merely relying on the fact that it would take a pretty long tie to generate a dictionary for a brute force attack?

Exactly. If you salt each row/password individually, it means the dictionary has to be recreated for each user in your dataset.

See also this link