LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-15-2011, 08:45 AM   #1
jeriryan
Member
 
Registered: Apr 2003
Location: United States
Distribution: RHEL 5.4, Snow Leopard
Posts: 84

Rep: Reputation: 15
Storing salt along with hashed passwords on web server?


Not specifically related to Linux, but hoping someone can help anyway. I've been doing a bit of light reading on password hashing so I'm a noob, but what is the point of storing the salt used to hash a password right alongside the hashed password in a database like I've read that webservers do? I thought the point was that the attacker doesn't know the salt so bruteforcing or dict-attacking the password from the hash would be that much harder. But if he knows the salt already, doesn't that defeat the point? He's back to just generating or looking up the hash function with that salt for that password...am I making any sense from my newbie perspective?
 
Old 07-15-2011, 08:51 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
If you have a password hash then the point would be that you can take that hash and match it against existing lists of hash / plaintext pairs. When you also have a pseudo random salt involved, then that hash is vastly obscenely astonishingly less likely to be able to be found in a dictionary.

number of MD5 strings for "password" = 1

number of MD5 strings for "password4847d9d", "password84d83uj" etc... = oooh loads.

does that make sense?

Last edited by acid_kewpie; 07-15-2011 at 08:52 AM.
 
Old 07-15-2011, 09:00 AM   #3
jeriryan
Member
 
Registered: Apr 2003
Location: United States
Distribution: RHEL 5.4, Snow Leopard
Posts: 84

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by acid_kewpie View Post
If you have a password hash then the point would be that you can take that hash and match it against existing lists of hash / plaintext pairs. When you also have a pseudo random salt involved, then that hash is vastly obscenely astonishingly less likely to be able to be found in a dictionary.

number of MD5 strings for "password" = 1

number of MD5 strings for "password4847d9d", "password84d83uj" etc... = oooh loads.

does that make sense?
I think so. So the point of the salt is that it's very unlikely that a pre-computed table of hashes for a given string has already been created for that salt right? That means the attacker would have to manually create a table with all possible hashed passwords+that salt.

But why not store the salts that were used to generate user passwords separately so that even if the file with the hashed passwords is compromised, the attacker still has to do some work to acquire the salts? Not worth the extra effort given how long it will take the attacker to create the hash table/reverse-engineer the password even if he has the salt?
 
Old 07-15-2011, 09:04 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
because salt + password = hash, so you need the salt still to know if the hashes match. These things don't make anything impossible, just harder and slower to perform.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] OpenLDAP SHA hashed passwords won't work h.ka Linux - Server 5 02-27-2011 06:27 PM
Storing/remembering passwords ErV General 13 09-02-2008 09:45 PM
Storing usernames and passwords on the web? concoran Linux - General 9 03-28-2008 04:55 PM
Storing passwords Ze MoreirA Linux - Security 1 08-13-2007 06:41 AM
create hashed passwords in PHP ? ALInux Programming 1 11-12-2005 08:45 AM


All times are GMT -5. The time now is 06:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration