Salted passwords

[Darkranger85]

Hey all,

 

I posted a few months ago trying out my first salted password and I utterly failed lol.

 

This is a small snippet from my current attempt.

 

    $salt = md5(uniqid(rand()));
    $Pass_S = md5($pass.$salt);

 

This is only the password and salt generation part. I'm sure the salt generation is probably too simple so please feel free to give your thoughts on that part.

 

Also the salt is stored on the database to be pulled up later for login uses.

 

Thanks all!

[batwimp]

How did you fail? Did you get an error message? Please provide more detailed information.

[Darkranger85]

lol no you misunderstand.

 

This is my second attempt.

 

The "fail" I referred too was my first attempt that I posted months ago.

[batwimp]

Oh. Well, give me a few minutes to go back through all of the posts and find the other one...

[xyph]

Read the article in my signature. The language used is designed for intermediate programmers ready to get into safe one-way storage of sensitive information.

 

If you don't understand if after reading through, then you should use the class they provide and work on the basics a little bit more before trying something this complex.

 

Hope that helps.

[Darkranger85]

Ok, I've read it over and I must say that my eyes have completely glazed over.

 

I understood some of the basic concepts but thats about it. I looked at the download of the program discussed in it and I don't really understand that either. I'm still pretty new and so many many of the commands and such in there I simply don't understand yet.

 

I'll keep trying though but any additional help is always appriciated!

 

Now, I had another question that I thought up as I was reading that article.

 

What if I made my log in system in a way that when a user logged in it generated a new SALT and replaced the old one? Would that improve security or make it worse?

 

Thanks!

[xyph]

Won't make a difference. The salt is only there to make brute-forcing harder if an attacker manages to get the password's hash. The reason salts are unique in the first place is to prevent an attacker from figuring out a single salt and quickly brute-forcing other hashes.

 

Changing a salt once a hash is compromised won't add any extra security.

 

It's a very complex topic, but the users are trusting you with a secret password. You have an 'obligation' to protect that as best you can.

[Darkranger85]

What about storing the salt and or password values in separate tables or databases?

 

I apologize if these are stupid questions lol

[xyph]

Won't help. The salt shouldn't be considered private information anyways, as stated in the article.

[Darkranger85]

Again, I apologize for being a newb lol.

 

I don't understand why storing your passwords separately doesn't improve security.

 

If a hacker gets into your database but the passwords are stored in another database doesn't that give you a small victory? (Not saying I'm right, I'm just trying to understand lol)

[xyph]

How will 'hiding' the information help you at all? Dumping the contents of two databases isn't more difficult than one.

 

To try and simplify this, you're trying to hide data within a system specifically designed to find data quickly and easily.

[Darkranger85]

I see.

 

I guess what it comes down too is I don't really know much about hacking in general so I wouldn't know what is more or less secure lol.

 

On the original topic, I also did some searching on Google about PhPass and I found articles on "bcrypt" linked to it. Is that related or is it something else entirely?

[xyph]

bcrypt is used by phpass.

 

This has been overly simplified, to help you understand. It's based on Blowfish, a well known block cipher. Blowfish was chosen because it's slow. bcrypt was designed to 'stretch' Blowfish over several iterations to be as slow as needed. This is done to slow down brute-forcing. If it takes 50ms instead of 0.5ms to calculate a hash, a brute-force will take up to 100x longer to perform. Since there have been no mathematical 'weaknesses' found in bcrypt thus far, there's no shortcut to speed brute-forcing up.

 

If bcrypt is available on the system, phpass uses it. If not, there are several similarly strong and slow algorithms that it will implement.