Hi,

The 'salt' is random string appended to the end of the password before encryption.
For example if you added a random string to the end of the password and encrypt it, like so:

md5("test" . "5ges")

which returns:

25136ab23919df5c2ebad1445eb03a66

Then if a cracker gets this hash and brute-forces it he will recieve the password "test5ges" when he enters this it will fail because the server will try:

md5("test5ges" . "5ges")

which will return:

1d2a83e6bf9037e8902c0c7fadbf34c3

Andrew

I always use salts for password encryption, it adds to the difficulty of decrypting

salts should be stored outside of the script itself and, if possible, on another server or in another building all together

But couldn't the hacker just see the string, test5ges and use substrings until he/she gets it right, or even just edit their own cookies?

that's why we never store passwords in cookies ;)

and yes, that particular salt could be brute forced rather quickly but that is why we apply the same rules to salts that we do to strong passwords

Hi,

There's an interesting idea here [uk.php.net] regarding time sensative hashes. i.e. it will not be valid after N seconds.

Andrew

same concept as time limiting the actual session and rotating salts over time periods

A 'salt' is an additional bit of a string that is used by various encryption routines to pretty much guarantee that the resulting 'hash' is unique. I didn't know that md5() could use a typical 'salt', but it's not hard to see how it could be made to do so.

For example (using fake code for illustration):

When a user chooses their password, for instance, how do you guarantee that none of the other users in that database have the same encrypted 'hash' in the database?

md5(userPWD.fromForm)

won't provide that desired uniqueness, because

md5('password')

will always result in the same 'hashed' value ("

5f4dcc3b5aa765d61d8327deb882cf99

").

So we add a little 'salt' to the mix.

md5(userPWD.fromForm + userID.fromDatabase)

provides a unique bit of text (the user's unique ID) that is appended to the possibly-duplicate password string chosen by the user to make a unique combination. This guarantees a unique 'hash' to be stored in the database for comparison.

md5('password'.'24')

results in a 'hash' value of "

58bad6b697dff48f4927941962f23e90

" and

md5('password'.'457')

results in a 'hash' value of "

645296bd2aca27d3bcfa2e3abbc06082

". Now, a non-unique password is stored as a unique 'hash' when a 'salt' has been added to the mix.

It's a security thing ... you don't want a password cracker with access to the database to be able to figure out a common password by guessing 'hash' values of common passwords.

<edit>WOW! A flurry of answers! :)</edit>