Thread: "Seeding"
View Single Post
09-03-2008, 04:36 AM
 #8
JulesR is offline JulesR
Status: Member
Join date: Apr 2008
Location:
Expertise:
Software:
 
Posts: 129
iTrader: 0 / 0%
 

JulesR is on a distinguished road

  Old

Originally Posted by iwearoddsocks View Post
Thats the name salting, bah, how did i manage to get the names confused ¬_¬, Im just wondering whether or not I should start using this method in future work.
It honestly can't hurt to salt your passwords when encrypting them, and it's probably a good practice to get into, but fundamentally you need to understand when/where it's important and how it differs to other forms of obfuscation.

If security isn't a huge concern of yours, and you just want to stop prying eyes from seeing the unencrypted and plain text password field, then md5 hashing is considered adequate. The downside is that it's not hugely secure. Because md5 hashes always match the source string, it's possible to build what are known as rainbow tables to almost reverse-hash an md5 string and determine the source string used. For example, md5 hashing the word "password" will ALWAYS result in the resulting md5 string of 5f4dcc3b5aa765d61d8327deb882cf99. If an attacker were to build a database of md5 strings based on common dictionary words, they'd be able to crack the password with relative ease by searching for this hash. Still, it's far better than leaving the password in plain text, and should be the bare minimum when dealing with any passwords at all.

Using a specified salt for password encryption adds a slightly thinner layer of defense on top of md5. Now if an attacker obtains the encrypted string, instead of just being able to generated a list of encrypted strings to compare your string to like they could with md5, they would also need to discover the 'salt' that was used to encrypt it to begin with. Obviously if you use the same salt every time you encrypt a password it makes it even easier for them to crack. Unfortunately, you're almost forced to use defined salts, because without them the resulting encrypted string is practically useless. If you're doing things like user authentication, you HAVE to use a defined salt, there's not really any other way.

The biggest problem with using defined salts is that the salt must be stored somewhere - and it's usually in a file. If an attacker obtains access to these files, your passwords are as good as stored in plain text anyway. Obviously md5 hashing doesn't suffer from this problem, providing the source string is random enough that the resulting hash isn't something searchable as in the above example.

Sorry for the rant, but hopefully someone's learnt something