salted password hashes (discussion)

[mentalist]

Hey...

i'm considering adding a salt to each user (at mo i have a site one), but when thinking about it, this is incase someone has access to the db (or hashed password), and if they had access to the db then they'd probably have access to the salt as well.

 

So, what im thinking is, if you use the username as the individual salt then a db request to get the salt isn't required (i dont use the mysql hashing functions). This would still require the crackers to generate a lookup table for each user...

 

So im thinking they provide the level of protection, on the premise that if they get the pass hash they also get the salt.

 

p.s. my site salt isn't in the db, rather a config file...

[ToonMariner]

you store the salt else where (in an encrypted file or somthing) and use that in your code do not store salts anywhere where people COULD get access to them - very important that you protect them by encrypting your file with zend guard or ion cube.

 

I put this encryption in an encryption class which takes your sting and encrypts it as you instruct and passes the string back - that file is protected by encoding it with zend guard so even if someone got ftp access they'd have a hard time figuring it out....

[mentalist]

silly thing is, if you make a large enough lookup table, then individual salts become meaningless anyway, so i'm wondering if it's worth wasting processing time going to the extremes... i.e. an 8 char password with a 4 char salt, is always going to be 12 chars, no matter what the salt! A hash will generally always be individual (bar a few collisions, but they'd be an issue either way), so a unique string will generally only have one interpretation and therefore only a single lookup table is ever required!

 

especially since this is cracking from the inside, i.e. they already have access to your db, maybe ftp or shell, surely they'd probably find it easier and quicker to add some form of logger?