Thread: Password encryption?
View Single Post
02-24-2007, 07:30 PM
 #34
echoSwe is offline echoSwe
Status: Member
Join date: Jul 2005
Location:
Expertise:
Software:
 
Posts: 185
iTrader: 0 / 0%
 

echoSwe is on a distinguished road

  Old

First of all: HASHING DOES NOT EQUAL ENCRYPTION, OMG! Glad to have that out of my system once and for all. Now let's not mention it again.

I think you need to understand some stuff. The random salt MUST be stored somewhere, or you can't get the hash corresponding to password+salt when the user logs in next time, so the salt IS STORED somewhere.

Also, if your static "salt" is discovered, how would you change it? You can't get the saved password data back, without explicitly adding a check on the next time the user logs in and if the user has the 'old' hash, update the saved password data. And if it's discovered, you don't 'calculate' passwords, as much as you compare the hashed dictionary against the saved hashes. You must also ask yourself the question whether your hosting company completely trustworthy, and even if you come to the conclusion that they are 99%, why risk it by storing the hash like you have?

And how would the user 'grap their hash' exactly? It's not like you save their password or rather their corresponding hash, in a cookie, but rather just send an authentication cookie, with a unique identifier, other than the hash. Also, how would the user connect to the data storage if they 'grap their hash from the cookies'?

The fact that no tables can be generated at all if the salt is unique for every password, is imho the point I'm trying to make here. Why put yourself in a situation where you don't have a more secure solution if it can be done in a minimal amount of work?

"Without salts, an attacker who is cracking many passwords at the same time only needs to hash each password guess once, and compare it to all the hashes. However, with salts, all the passwords will likely have different salts; so each guess must be hashed separately for each salt, which is much slower since hashing is usually very expensive." http://en.wikipedia.org/wiki/Salt_%28cryptography%29

Which extends to that a static hash which is discovered is just as safe as if you had no salt at all.
http://www.hackerthreads.org/phpbb/v...ic.php?p=81054