Code2Design.com

User login

Programming

The Layout

Navigation

Popular content

Today's:


All time:


Last viewed:

Resources

Who's online

There are currently 0 users and 7 guests online.

MD5, hashes, passwords, salts and more

1) You need to salt your passwords.

"Assume a user's secret key is stolen and he is known to use one of 200,000 English words as his password. The system uses a 32-bit salt (like md5). Because of this salt, the attacker's pre-calculated hashes are of no value. He/she must calculate the hash of each word with each of 2^32 (4,294,967,296) possible salts appended until a match is found. The total number of possible inputs can be obtained by multiplying the number of words in the dictionary with the number of possible salts:

2^{32} \times 200 000 = 8.58993459 \times 10^{14}

To complete a brute-force attack, the attacker must now compute about 800 trillion hashes, instead of only 200,000. Even though the password itself is known to be simple, the secret salt makes breaking the password radically more difficult." - http://en.wikipedia.org/wiki/Salt_(cryptography)

2) Now that I got that off my chest I recommend this awesome PHP class http://www.openwall.com/phpass/ as even WORDPRESS has started using it.

3) Plain md5 is just too simple to crack - it is like WEP in WIFI: http://md5.rednoize.com/

4) Rainbow Tables can kill your simple PHP scripts: http://www.antsight.com/zsl/rainbowcrack/
http://en.wikipedia.org/wiki/Rainbow_table

So please, I don't want to see anyone still using plain md5() hashes - at least use a salt!

http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/
http://phpsec.org/articles/2005/password-hashing.html


Submitted by David on April 8, 2008 - 8:04pm. |
David's blog | printer friendly version

Storing salts?

Hey David, how do you recommend storing salts? Should they be randomly generated and stored in the MySQL database? If so, how would you access them using the login script? I'm just a bit confused about the process, so help would be great, thanks!


Submitted by cameron (not verified) on October 30, 2008 - 2:13am.
reply

Salts of Life

I recommend that you create two salts. One for each user and store it with the MD5/SHAL1 of the user password. Second I recommend you make a site wide salt and store it in a config file so that even if you get your database hacked into the still won't have the salt in your config file (and vis-versa).

Look up a codeigniter library called "Redux Auth" (version 1.4 NOT 2.0) and you can see how they do it.


Submitted by David on November 6, 2008 - 3:44am.
reply

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <br> <br /> <h3>
  • Lines and paragraphs break automatically.
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.
  • You can use BBCode tags in the text, URLs will be automatically converted to links
More information about formatting options



Like what you see?

Why not add more? C2D is looking for other Christian Web Masters who would like to help write articles for this site. If you have expericance in FLASH, CSS/HTML, PHP/MySQL, PhotoShop/GIMP, Blender, Javascript, or just General Design - our users would love to hear what you have to say. Contact Us

delicious   digg   reddit   magnoliacom   newsvine   furl   google   yahoo   technorati