CodeIgniter Community Voice - Mathew Davies

#11
[eluser]Lone[/eluser]
I am still failing to see how this is really anymore secure then using a static salt in the situation that your DB had been compromised (and brute forced with a rainbow hash) which Im led to believe is the main reason for using salt for passwords. The reason being that the dynamic salt can be actually seen in the table row that has been compromised and hence can be used as a part of the rainbow hash.

#12
[eluser]Pascal Kriete[/eluser]
Lone, rainbow tables don't reverse the hash - they find a collision.

Hash functions aren't perfect, they all have a size limit (160 bits in the case of sha1) so the birthday paradox applies to all of them.

If we have password x and assume that y = sha1(x), then we can find another password z where sha1(z) = y. That works really well if they aren't salted, because we now just punch z into the password field and the server authenticates us. But with a salt the hash becomes different for the two. So sha1(x) == sha1(z), but sha1(x+salt) != sha1(z+salt).

What the static salt does, is it stretches the key we hash so that the odds of finding that particular collision are lower. Also if you have a very random password, and someone does manage to crack the hash, they won't be able to tell where the salt ends and the password starts.

Something like this would have a similar effect, with a few more operations:
Code:
$salt = //something randomly generated and later inserted along with the password
$password = 'password';

$hashed = sha1($salt . sha1($salt . $password));
To truly reverse sha1, you would need to brute force it, which is not feasible (article explaining why).

#13
[eluser]makedjakila[/eluser]
Hello Everybody,

There is an interesting article on phpsec.org about salted passwords. This is the philosophy :
Code:
define('SALT_LENGTH', 10) ;

//INSERT SALTED PASSWORD
$salt = substr(md5(uniqid(rand(), TRUE)),0, SALT_LENGTH) ; // $salt is randomly generated
$password = 'ilovesaltnpepa' ;

$salted_password = $salt . substr(sha1($salt . $password), 0, -SALT_LENGTH) ; // $salt is stored at the beginning of the password => sha1 has a length of 40 and the salt has a length of 10 : this explain -SALT_LENGTH...

// RETRIEVE SALT
$salt = substr($salted_password, 0, SALT_LENGTH); // $salt is retrieved from $salted_password

//You should know what to do next !

This way, the salt is not clearly stored in the database: ;D

#14
[eluser]dimazarno[/eluser]
[quote author="Popcorn" date="1215129082"]Humf, I wrote the article Latavish Wink

What you have shown me is a dynamic salt value.

The best thing is to do something like this :

Code:
$dynamic_salt = ''; // Randomly generated salt value then store it in the users table.
$static_salt = ''; // Grab this salt value from a config file.

$password = 'password'; // Input password.

$secured_password = sha1($dynamic_salt.$static_salt.$password); // Secure
[/quote]

Hi Popcorn,
how to retrieve the password for 'forgot password'? is it using reset password like wordpress?

#15
[eluser]Popcorn[/eluser]
Hi,

I found some mistakes in my article which make me look stupid, I was a less experienced developer back then.

dimazarno : You don't, you setup a key system to verify their email address which will allow them to enter a new password through a form.

-Mathew

#16
[eluser]dimazarno[/eluser]
oo i see, thanks for the reply Smile

#17
[eluser]Unknown[/eluser]
First, thanks to Matthew and sikkle for the great article!

I'd like to know if it's possible to use salts with the CodeIgniter Validation helper. I know you can automatically MD5/SHA passwords using the validation rules, but can you also salt it?

ExampleSadMD5, no salt)
$this->form_validation->set_rules('password', 'Password', 'trim|required|matches[password2]|md5');

Thanks!


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.