You want salt with that?
Yes you would, and you should!
Explanation follows shortly. Over the last few weeks, I’ve been helping out a friend with his new site. He payed some programmers from India a few hundred euros to complete the site, and they did.
However, they made more than a few errors!
The first most n00bish error they made, was not to properly escape input to MySQL, meaning the whole site was vulnerable to SQL injection attack. I tried it, and it worked like a charm = bad!
This error was quick to fix, and zoon after the site was a tad bit more secure. But then I discovered the next big(huge!) mistake.
All passwords are stored in PLAINTEXT in the database!!!!1!!
Why is this bad? Well, if someone got a hold of the database, they could use it to access that persons account. They could even be so lucky, that they could access a different site, using the same username and password = not good!
People are generally not good at using different passwords for different sites.
So what are the options?
- Store the cryptographic hash (aka message digest) of the password instead of the password.
- Store the cryptographic hash of the message + a salt
If you just want security against you plain kiddy hacker, you could go for option number one.
However, MD5 has been proven to be “weak”. You could/should replace it with SHA256.
If a good(proven) hacker gets hold of your passwords in the database, he would most likely use a Rainbow table to reverse engineer all the passwords.
Using a salt
Lets say that you for each user in your usertable, adds a new field which contains a salt. This salt is different for each user. The length of the salt should be fairly high, say about >128 characters.
Before the password is hashed, the password is appended/prefixed the random generated hash value.
If the attacker gets hold of your usertable, he (or she for that matter) will have to calculate a new Rainbow table for each user. The larger the salt you use, the bigger the Rainbow table, the longer it takes to calculate.
A hidden salt value would be ideal, but thats not always possible.
July 26th, 2010 at 15:10
Nice post bud.
August 16th, 2010 at 19:16
Sorry, but hacker gets your users table with salt and all your tricks is will be stultified.
August 31st, 2010 at 12:56
I’m pretty sure he/she can get the user table. The question is how long it will take for the hacker to crack the passwords and for you to change them!