views:

298

answers:

6

Let's say I have a table of users set up like this:

CREATE TABLE `users` (
    `id` INTEGER PRIMARY KEY,
    `name` TEXT,
    `hashed_password` TEXT,
    `salt` TEXT
)

When a user is created, a randomly-generated salt is produced and stored in the database alongside the results of something like get_hash(salt + plaintext_password).

I'm wondering that if a malicious user gets their hands on this data, would they be able to use it to crack users's passwords? If so, what's a way that it could be prevented?

+2  A: 

If an attacker knows the salt, the hashed password and the hash algorithm, then they can mount a brute-force dictionary attack (or rainbow attack).

Mitch Wheat
Salts gain their power by being unique to the entry, not by being secret. Check the wikipedia entry on rainbow table where it says "A salt is often employed with hashed passwords to make this attack more difficult, often infeasible."
dmckee
+14  A: 

No, they're not useless.

So long as you use a unique salt for each row, then the salt will prevent slow down an attack. The attacker will need to mount a brute force attack, rather than using rainbow tables against the password hashes.

As mentioned in the comments, you should ensure that the salt is a sensible size.

LukeH
the question asks if the attacker knows the salt
Mitch Wheat
Luke's answer is assuming the attacker knows the salt. The point is that without a salt at all, the attacker could just look up the hashed password in a rainbow table they found on the net. With the addition of the salt, the attacker has to do the brute force work themselves.
Peter Recore
Crucial point: the size of the salt has to be chosen large enough that the attacker cannot possibly have a rainbow table large enough. Obviously 8 bits of salt wouldn't absolutely prevent a rainbow table attack, just increase the required table size by at most a factor of 256. 128 bits of random salt, otoh, rules out rainbow tables now and for ever.
Steve Jessop
@Mitch: Precomputing all possible MD5 hashes (to give an insecure example) of passwords up to n characters is easy. Salting is good because precomputing that many passwords * number of possible salts isn't possible. The salt isn't hidden.
ojrac
+4  A: 

Knowing the salt makes it possible to do a brute-force attack, but that doesn't make it useless. Salt prevents the attacker from using an already generated rainbow table (which you could find on the web).

The best way to prevent brute-forcing is simply to use long, complex passwords.

Zifre
+7  A: 

Salting was introduced (or at least made popular) in UNIX /etc/passwd file, which was world-readable. It is usually assumed that the salt as well as the encrypted password is known to the cracker. The purpose of the salt is the slow-down of the cracking process (since the same password won't map to the same encrypted string); it is not a secret in itself.

mfx
+1  A: 

No, it's not worthless.

To successfully attack an account, an attacker needs to know the salt for that account (and every account's salt should be different), the hashing algorightm used, and the final stored password hash.

Given all of that information, you can write a program that keeps trying to hash different potential passwords until it finds one that matches.

If it's a bad salt (too simple or short), this can be made much faster because the program can use rainbow lookup tables to match the final stored password hash to the string that was hashed, and then just subtract the salt. But they still need all the information.

If it's a shared salt, this is bad because an attacker and use the salt to generate a rainbow table in advance that's good for any account on your system.

Joel Coehoorn
+1  A: 

This should give you an idea of how it works.

Lets say you want to encrypt a word "secret." After it is encrypted lets say it now looks like this 00110010.

If a hacker knows the encryption algorithm, they can create a table of words and their corresponding encrypted values. So they take the encrypted password "00110010" and find it in the table. Now they know that the password used to generate "00110010" was the word "secret." If you salt the word first, then a generic lookup table will be useless to the hacker. (A generic lookup table being a table of unsalted dictionary words and their encrypted values)

If you salt the word first ("saltsecret"), now the encrypted value will look different, and the hacker wont find it in the lookup table.

However, they can still start creating their own lookup table from scratch using your salt and eventually they will be able to reverse lookup passwords.

So to answer the question, if the passwords are sufficiently complex, it will take ages for the hacker to figure them out. You could change your salt every year and they would have to start creating a table all over again.

Kelly
Also, if you don't use a salt (or you use a shared salt) then the attacker will know that every row with the hash "00110010" has the password "secret". If you use a unique salt for each row then every user could have the same password and the attacker wouldn't know it.
LukeH