Darkranger85 Posted March 6, 2012 Share Posted March 6, 2012 Hey all, I posted a few months ago trying out my first salted password and I utterly failed lol. This is a small snippet from my current attempt. $salt = md5(uniqid(rand())); $Pass_S = md5($pass.$salt); This is only the password and salt generation part. I'm sure the salt generation is probably too simple so please feel free to give your thoughts on that part. Also the salt is stored on the database to be pulled up later for login uses. Thanks all! Quote Link to comment Share on other sites More sharing options...
batwimp Posted March 6, 2012 Share Posted March 6, 2012 How did you fail? Did you get an error message? Please provide more detailed information. Quote Link to comment Share on other sites More sharing options...
Darkranger85 Posted March 6, 2012 Author Share Posted March 6, 2012 lol no you misunderstand. This is my second attempt. The "fail" I referred too was my first attempt that I posted months ago. Quote Link to comment Share on other sites More sharing options...
batwimp Posted March 6, 2012 Share Posted March 6, 2012 Oh. Well, give me a few minutes to go back through all of the posts and find the other one... Quote Link to comment Share on other sites More sharing options...
xyph Posted March 6, 2012 Share Posted March 6, 2012 Read the article in my signature. The language used is designed for intermediate programmers ready to get into safe one-way storage of sensitive information. If you don't understand if after reading through, then you should use the class they provide and work on the basics a little bit more before trying something this complex. Hope that helps. Quote Link to comment Share on other sites More sharing options...
Darkranger85 Posted March 7, 2012 Author Share Posted March 7, 2012 Ok, I've read it over and I must say that my eyes have completely glazed over. I understood some of the basic concepts but thats about it. I looked at the download of the program discussed in it and I don't really understand that either. I'm still pretty new and so many many of the commands and such in there I simply don't understand yet. I'll keep trying though but any additional help is always appriciated! Now, I had another question that I thought up as I was reading that article. What if I made my log in system in a way that when a user logged in it generated a new SALT and replaced the old one? Would that improve security or make it worse? Thanks! Quote Link to comment Share on other sites More sharing options...
xyph Posted March 7, 2012 Share Posted March 7, 2012 Won't make a difference. The salt is only there to make brute-forcing harder if an attacker manages to get the password's hash. The reason salts are unique in the first place is to prevent an attacker from figuring out a single salt and quickly brute-forcing other hashes. Changing a salt once a hash is compromised won't add any extra security. It's a very complex topic, but the users are trusting you with a secret password. You have an 'obligation' to protect that as best you can. Quote Link to comment Share on other sites More sharing options...
Darkranger85 Posted March 7, 2012 Author Share Posted March 7, 2012 What about storing the salt and or password values in separate tables or databases? I apologize if these are stupid questions lol Quote Link to comment Share on other sites More sharing options...
xyph Posted March 7, 2012 Share Posted March 7, 2012 Won't help. The salt shouldn't be considered private information anyways, as stated in the article. Quote Link to comment Share on other sites More sharing options...
Darkranger85 Posted March 7, 2012 Author Share Posted March 7, 2012 Again, I apologize for being a newb lol. I don't understand why storing your passwords separately doesn't improve security. If a hacker gets into your database but the passwords are stored in another database doesn't that give you a small victory? (Not saying I'm right, I'm just trying to understand lol) Quote Link to comment Share on other sites More sharing options...
xyph Posted March 7, 2012 Share Posted March 7, 2012 How will 'hiding' the information help you at all? Dumping the contents of two databases isn't more difficult than one. To try and simplify this, you're trying to hide data within a system specifically designed to find data quickly and easily. Quote Link to comment Share on other sites More sharing options...
Darkranger85 Posted March 7, 2012 Author Share Posted March 7, 2012 I see. I guess what it comes down too is I don't really know much about hacking in general so I wouldn't know what is more or less secure lol. On the original topic, I also did some searching on Google about PhPass and I found articles on "bcrypt" linked to it. Is that related or is it something else entirely? Quote Link to comment Share on other sites More sharing options...
xyph Posted March 7, 2012 Share Posted March 7, 2012 bcrypt is used by phpass. This has been overly simplified, to help you understand. It's based on Blowfish, a well known block cipher. Blowfish was chosen because it's slow. bcrypt was designed to 'stretch' Blowfish over several iterations to be as slow as needed. This is done to slow down brute-forcing. If it takes 50ms instead of 0.5ms to calculate a hash, a brute-force will take up to 100x longer to perform. Since there have been no mathematical 'weaknesses' found in bcrypt thus far, there's no shortcut to speed brute-forcing up. If bcrypt is available on the system, phpass uses it. If not, there are several similarly strong and slow algorithms that it will implement. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.