md5 + rainbow tables

[slarson20]

I know your going to say google it, and I did but I couldn't find a ENGLISH definition lol for someone who's clueless with how encryption work.

 

What are rainbow tables, and what is salting.

 

Also, how does salting prevent rainbow table attacks?

[cssfreakie]

google is indeed a wicked tool.

 

in a nutshell:

 

when you use md5() or any other hashing (hashing is not encrypting) function. The string that got in, gets transformed into a fix length string that hides the original string. Opposed to encryption, that uses a key (to decrypt/ 'open'). You can't decrypt a hash, since there is no key. It;s one way.

 

for instance:

 

monkeys becomes HJJAUudfisiufa666547HGhHHd (I just made that up )

 

A rainbow table stores common words like monkey and most other words you find in a dictionary. So ones someone got into your database he sees those hashes you stored and just compares them with his rainbow table to maybe use those on your customers email, or paypal accounts. Most people use the same password for everything....

 

Now if you use a salt. for instance:  *776**&DHuswu#@#@%^&^@!&*@&*^2112$%5~

 

The string isn't monkeys but monkeys + that weird salt, and than it gets hashed. And since that combination is very unlikely to end up in a dictionary (unless real monkeys took over the redaction). It's unlikely to exist in the attackers rainbow table, thus making it more secure.

 

That's it.

 

P.s. google is your friend!

[MasterACE14]

also to add to what cssfreakie has said, in PHP it's as simple as this...

$string = 'monkeys';
$salt = '*776**&DHuswu#@#@%^&^@!&*@&*^2112$%5~';
echo md5($string . $salt);

[slarson20]

What if you md5 the password and then send it to the server using Ajax, how do you md5+salt once it is already md5 once?

 

oh sorry i forgot to thank, lol im tired.

 

Thanks you 2 for the good replies.

[cssfreakie]

What if you md5 the password and then send it to the server using Ajax, how do you md5+salt once it is already md5 once?

 

oh sorry i forgot to thank, lol im tired.

 

Thanks you 2 for the good replies.

 

There is no good reason to md5 (hash) something twice. in fact it makes your stuff less secure, (why? because of the fix length input for the second hash). Anyway the answer to your thread is given. Keep it to the point and mark it solved ones the answer is given. And above all this forum is flooded with questions and answers on this hashing stuff. try it out...

[slarson20]

Sorry but that didn't answer my question, I md5 my password before sending it GET style to the server using Ajax, so how would I salt it once its at the server, or is it ok to salt it in the javascript? Does the salt have to be secret.

[cssfreakie]

if you already md5-ed it, you are to late. Because the trick of a salt is what? (see above...)

 

And ofcourse you want to keep your salt secret.  Because that is what makes:

the common word monkeys into a word that does not exist in the dictionary and after that you hash it.

 

if you use javascript (client side) it will be in plain site.

[slarson20]

ohhhh if you dont hide it they can make a rainbow database, based off your salt. right?

[cssfreakie]

ohhhh if you dont hide it they can make a rainbow database, based off your salt. right?

exactly because than they just take the normal dictionary and append your salt to it, create the hashes and compare them again with your stored values.