Welcome to WebmasterWorld Guest from 54.197.116.116

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Using a salt value

Using a salt value

   
4:09 am on Oct 9, 2012 (gmt 0)



Hi,

I've been reading up on using a salt value when creating a password to make it more secure, what I can't get my head round is how do you remember this salt value?

I'm guessing that when a user logs in to be able to compare the password entered with the one in the database you would need to again add the salt value to the entered password.

Am I missing something really obvious?

Thanks in Advance
8:39 am on Oct 9, 2012 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



the salt is used to encrypt the password and then the salt is stored with the encrypted password so future attempts to authenticate will use the same salt to encrypt.
therefore you can never read the clear-text password in the database but you can match it if you know it.
11:41 am on Oct 9, 2012 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



A salt is added to avoid those laying their hands on your hashes to be able to see hey this one has the same salt as this one, so they have the same password (likely a case of both using "password" as password. Or Of somebody having constructed the hashes of all known words in a dictionary (a so called rainbow table), and hence able to reverse all hashes from all weak passwords with a simple lookup.

Salt: make sure it is *random* (cryptographically random) and long. Just store it along the hash.

user:
password

|
|
v

server:
concatenate password and salt (retrieved from database)
hash the above
very with the stored hash


Upon password change: get a new random salt and hash the concatenation of the new password and the new salt). Sotre the new hash and the new salt.