tags:

views:

57

answers:

3
+1  Q: 

Publicly viewable salt security

If the password salt for keys are viewable does it not improve security compared to without salt?

Would it be better just to not use the salt and improve some performance?

+3  A: 

Even a publicly viewable salt increases the security a bit, because your attackers cannot use previously generated rainbow tables. They have to generate their own. This takes a very long time.

Marius  2009-08-04 01:39:03
Then does it matter how long the salt be?
Atomble  2009-08-04 01:43:14
If the salt is very short - for example only one byte - an attacker could just generate all possible 256 rainbow tables. But when the salt gets longer - maybe four bytes and longer - it no longer really matters because of the exponential growth there are just to many possible salts. But using a long salt - maybe 16, 32 or 64 bytes - doesn't cost much and you may gain some security against some (not yet discovered) attacks, hence I prefer using quite long salts.
Daniel Brückner  2009-08-04 02:51:00
If the salt is known, then the length does not matter Since the attacker knows the salt, he only needs to generate one rainbow table. If the salt is not known, then make a salt which is at least a few bytes long. As Daniel said, it costs almost nothing to use a salt which is very long.
Marius  2009-08-04 03:05:36
A: 

It prevents the use of pre-calculated hash tables or rainbow tables from being used to merely lookup an acceptable input.

Take a look at: http://en.wikipedia.org/wiki/Rainbow_table

Keep in mind that having the salt hidden increases security, because then the attacker does not know exactly what function is being used to generate the hashes. However, the main benefit of hashing passwords is in the event of them being obtained -- much more work to make use of a list of hashes than a list of plain passwords. If someone has your hashes, they likely have your salt as well. Just food for thought.

gahooa  2009-08-04 01:40:03
A: 

A unique salt will per password will prevent a Rainbow attack with a pre-computed hash. Using a unique salt per password requires the attacker to calculate the hash foreach individual password for each attempt.

It's main goal is slow the attacker down enough, to make the attack no longer feasible.

pb  2009-08-04 01:43:38

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security