Purpose of a salt.

BYOND Forums

Announcements · BYOND Help · Bug Reports · Feature Requests · Beta Testers · Beta Bugs · Developer Help · Design Philosophy · Demos & Libraries · Tutorials & Snippets · Art & Sound · Classified Ads · Game Updates · Contests & Events · Linux Talk · On Topic · Off Topic

Purpose of a salt.

ID:151421

Jan 21 2011, 7:46 am

CauTi0N

I've been doing a lot of playing around in PHP and MySQL, and I decided I wanted to do a login system. Well, this was actually not all difficult setting up, but I did have a few issues regarding security (I felt a standard hash was not enough).

So far what I've gathered, a standard hash usually is good enough, provided you are using a good hash algorithm (not md5 anymore). Well, I also came across people mentioning using randomly-generated salts. The only purpose I can see in a salt is so people cannot "more easily" use a MySQL injection to automatically login to someones website. However, I cannot seem to find any other use - what do you guys use salts for? And, how do you make logins more secure?

On a side note, and this isn't related to DM though the above could loosely be... how do you make a secure https page?

Jan 21 2011, 7:54 am
Soldierman	Salt is used so two people's password hash never have the same value. For example, if you and I used the exact same password it would result in the exact same hash, but with salt applied, the hash would be completely different.

Jan 21 2011, 8:00 am
Jp	It also helps protect against http://en.wikipedia.org/wiki/Rainbow_table attacks

Jan 22 2011, 12:01 pm

Loduwijk

CauTi0N wrote:

So far what I've gathered, a standard hash usually is good enough, provided you are using a good hash algorithm (not md5 anymore)

One of the reasons that using a salt became prevalent was to attempt to keep MD5 around. There was a lot of arguing for a while about whether everyone should abandon MD5, and if you search enough you'll find a lot of people saying "You're still fine with MD5 as long as you use a good salting scheme."

Personally, I think that MD5 is unlikely to be abused in any personal website you make, especially if properly salted, but that it doesn't make sense to use it as long as there are better options. Just use SHA - it follows the same hashing scheme as MD5 but is better, and there are several versions of it which provide different levels of precision. Whatever you do, just don't use the first version of SHA, as it was quickly fixed because of it had some problems.

The only purpose I can see in a salt is so people cannot "more easily" use a MySQL injection to automatically login to someones website. However, I cannot seem to find any other use - what do you guys use salts for? And, how do you make logins more secure?

There are several reasons to salt, and some of them have been listed by the other repliers here. For more information about salting, how to do it properly, and why to do it, you should try Googling for vulnerabilities in hashing schemes. You generally find more information for how to be more secure by Googling ways to break your security than you do by Googling ways to make your security better.

For example, if you are using MD5 and want to protect against collision vulnerabilities, you're better off Googling "How do I cause an MD5 collision?" than "How do I protect MD5?" Hashing isn't the only topic that is like this either; for many computer topics the people that are explaining how to abuse systems are also often the ones that best know how to protect those systems and are giving good information.