You want salt with that?

Yes you would, and you should!

Explanation follows shortly. Over the last few weeks, I’ve been helping out a friend with his new site. He payed some programmers from India a few hundred euros to complete the site, and they did.

However, they made more than a few errors!

The first most n00bish error they made, was not to properly escape input to MySQL, meaning the whole site was vulnerable to SQL injection attack. I tried it, and it worked like a charm = bad!

This error was quick to fix, and zoon after the site was a tad bit more secure. But then I discovered the next big(huge!) mistake.

All passwords are stored in PLAINTEXT in the database!!!!1!!

Why is this bad? Well, if someone got a hold of the database, they could use it to access that persons account. They could even be so lucky, that they could access a different site, using the same username and password = not good!

People are generally not good at using different passwords for different sites.

So what are the options?

Store the cryptographic hash (aka message digest) of the password instead of the password.
Store the cryptographic hash of the message + a salt

If you just want security against you plain kiddy hacker, you could go for option number one.

However, MD5 has been proven to be “weak”. You could/should replace it with SHA256.

If a good(proven) hacker gets hold of your passwords in the database, he would most likely use a Rainbow table to reverse engineer all the passwords.

Using a salt
Lets say that you for each user in your usertable, adds a new field which contains a salt. This salt is different for each user. The length of the salt should be fairly high, say about >128 characters.

Before the password is hashed, the password is appended/prefixed the random generated hash value.

If the attacker gets hold of your usertable, he (or she for that matter) will have to calculate a new Rainbow table for each user. The larger the salt you use, the bigger the Rainbow table, the longer it takes to calculate.

A hidden salt value would be ideal, but thats not always possible.

Tags: HTML, MySQL, PHP

This entry was posted on Monday, July 26th, 2010 at 06:04and is filed under . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “You want salt with that?”

chris Says:
July 26th, 2010 at 15:10
Nice post bud.
zoonman Says:
August 16th, 2010 at 19:16
Sorry, but hacker gets your users table with salt and all your tricks is will be stultified.
Zoon Says:
August 31st, 2010 at 12:56
I’m pretty sure he/she can get the user table. The question is how long it will take for the hacker to crack the passwords and for you to change them!

You must be logged in to post a comment.

CODExperiments