You want salt with that?

Yes you would, and you should!

Explanation follows shortly. Over the last few weeks, I’ve been helping out a friend with his new site. He payed some programmers from India a few hundred euros to complete the site, and they did.

However, they made more than a few errors!

The first most n00bish error they made, was not to properly escape input to MySQL, meaning the whole site was vulnerable to SQL injection attack. I tried it, and it worked like a charm = bad!

This error was quick to fix, and zoon after the site was a tad bit more secure. But then I discovered the next big(huge!) mistake.

All passwords are stored in PLAINTEXT in the database!!!!1!!

Why is this bad? Well, if someone got a hold of the database, they could use it to access that persons account. They could even be so lucky, that they could access a different site, using the same username and password = not good!

People are generally not good at using different passwords for different sites.

So what are the options?

  • Store the cryptographic hash (aka message digest) of the password instead of the password.
  • Store the cryptographic hash of the message + a salt

If you just want security against you plain kiddy hacker, you could go for option number one.

However, MD5 has been proven to be “weak”. You could/should replace it with SHA256.

If a good(proven) hacker gets hold of your passwords in the database, he would most likely use a Rainbow table to reverse engineer all the passwords.

Using a salt
Lets say that you for each user in your usertable, adds a new field which contains a salt. This salt is different for each user. The length of the salt should be fairly high, say about >128 characters.

Before the password is hashed, the password is appended/prefixed the random generated hash value.

If the attacker gets hold of your usertable, he (or she for that matter) will have to calculate a new Rainbow table for each user. The larger the salt you use, the bigger the Rainbow table, the longer it takes to calculate.

A hidden salt value would be ideal, but thats not always possible.

3 Responses to “You want salt with that?”

Leave a Reply

You must be logged in to post a comment.