Jump to content

using salt for hashed password


funbinod

Recommended Posts

can anyone please suggest me how can I use salted password? I just learnt how to use hashed password. after learning I came to know that they can be easily hacked using rainbow table or other methods and got suggestion online to use salted password with hash. but I got difficulties to learn the use of salt. please guide me how can I use salt while registering, logging in and changing the password......

 

thanks in advance....

Link to comment
Share on other sites

 

$salt = 'example'; // this must never change $passwordUnencrypted = 'password';$passwordEncrypted = hash('sha512', $passwordUnencrypted . $salt); // adding row to table (registering)$sql = "INSERT INTO users (password) VALUES ('" . $passwordEncrypted ."')"; // checking password in table (logging in)$sql = "SELECT COUNT(*) FROM users WHERE password =  '" . ($passwordEncrypted) ."' LIMIT 1"; // obviously check for username too // updating password in table (changing password)$sql = "UPDATE users SET password = '" . $encryptedPassword . "' WHERE user_id = " . $user_id;
Link to comment
Share on other sites

to the @JamesB's suggestion---

 

what I wonder is,

if the stored hash is hacked and found the exact password, lets say " password ", then cannot a hacker use that to login since the process is -

$salt = 'example'; // this must never change $passwordUnencrypted = 'password';$passwordEncrypted = hash('sha512', $passwordUnencrypted . $salt); // checking password in table (logging in)$sql = "SELECT COUNT(*) FROM users WHERE password =  '" . ($passwordEncrypted) ."' LIMIT 1"; // obviously check for username too

and when he tries logging in, he will enter the ' password ' won't it is added to the fix salt value which is always there in the script or database and he doesn't need to provide, as u described !? isn't it the same as entering the password only without any salt??? please help me understand this more clearly....

Link to comment
Share on other sites

When not using a salt:

 

If the hacker gains access to your database and sees the encrypted password, they can use public encryption look up tables to find one or many possibilities of what the password is.

 

When using a salt:

 

If the hacker gains access to your database and sees the encrypted password, they cannot use public encryption look up tables to find the password.

If the hacker gains access to your database and also access to your PHP file containing the salt, they still cannot use public encryption look up tables to find the password, however they can attempt to reverse it themself which will probably take a very long time to find as they would need to brute force millions probably well above trillions of combinations of text concatenated to the salt to find the matching encrypted string.

Link to comment
Share on other sites

Your salt should be unique for every user, you should not use a hard-coded salt for every user. Store the salt in the database along with the user's record also. The salt can be something like a hash of the current time plus the user IP address, for example, but it needs to be unique for every user and you should store it with the rest of the user data. One of the points of using a salt is so that if 100 users all have the same password, their hashes are all different.

  • Like 1
Link to comment
Share on other sites

 

if 100 users all have the same password, their hashes are all different.

 

sorry! i'm just learning about salt.

confusion arouse is "if all have same password and the salt for all is the same, how could their hash be different?" please help me understand how salt work....

Link to comment
Share on other sites

confusion arouse is "if all have same password and the salt for all is the same, how could their hash be different?"

It won't be different, it will be the same. That's why each salt for each user needs to be different.
Link to comment
Share on other sites

thank u!

 

another question! :P

where is the salt stored? if stored in database and if it is hacked, cannot the hacker even get the salt??? if stored in a file or script, isn't it possible they can hack everything when they can hack database???

Link to comment
Share on other sites

hummmmmm!!! it means, he will find the hashed password, and the salt but could not execute the password coz it is combined in the hashed password in the database!

 

did I understand correct!?

 

if so please guide how the salt is uniquely generated for each user!?

Link to comment
Share on other sites

Using a unique salt means that rainbow table attacks will not work, because the rainbow table does not use the salt. If he has the salt and your hashing algorithm then he can generate a rainbow table for just that one user, but that is going to be a computationally expensive process. Ideally your hashing algorithm should require around .25 seconds or more to generate the hash. That would mean that generating 10 million hashes to fill a rainbow table for a single user would require 28 days. To do that for 100 users would require over 7 years. The point is to increase the time required to run attacks on your system, to make it not worth it. Ideally it does not matter if an attacker has both your database and your code because it's going to take too long to do anything anyway.

if so please guide how the salt is uniquely generated for each user!?

It doesn't really matter, one way is to generate a random number and then hash it. I'm sure you can come up with other ways. You might also find this useful:http://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation/
  • Like 1
Link to comment
Share on other sites

The process to look up a user in the database given an unhashed username would be prohibitively expensive if you used a salt.

Just think about how that would work. You save all of your usernames in the database as hashes, and you salt the hash with the same salt you use for the password hash. Think about the process to look for a user's record when they try to log in with their username and password. You need to get all records from the database and loop through them. For each record, you need to get the salt, hash the username with the salt, and check that against the hash saved in the database. If it takes .25 seconds to calculate a hash with your algorithm, and the user you're looking for is #500 in the database, then it's going to take over 2 minutes of hashing to find their database record. You can't just use a single SQL query to find the record for that username if the username is salted and hashed, you need to loop through and test each one. That assumes you're using a hash/salt algorithm that the database does not natively support, but even if you were using something that the database supports it would still have to calculate all of those hashes just to find a single record.
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...