tags:

views:

170

answers:

5
+9  Q: 

Salting: Is it reasonable to use the user name?

I am debating using user-names as a means to salt passwords, instead of storing a random string along with the names. My justification is that the purpose of the salt is to prevent rainbow tables, so what makes this realistically less secure than another set of data in there?

For example,

hash( md5([email protected]), p4ss\/\/0rD)

vs

hash( md5(some_UUID_value), p4ss\/\/0rD)

Is there a real reason I couldn't just stick with the user name and simplify things? The only thing my web searching resulted was debates as to how a salt should be like a password, but ended without any reasoning behind it, where I'm under the impression this is just to prevent something like a cain-and-able cracker to run against it without being in the range of a million years. Thinking about processing limitations of reality, I don't believe this is a big deal if people know the hash, they still don't know the password, and they've moved into the super-computer range to brute force each individual hash.

Could someone please enlighten me here?

+9  A: 

You'll run into problems, when the username changes (if it can be changed). There's no way you can update the hashed password, because you don't store the unsalted, unhashed password.

Chris Lercher  2010-07-27 19:17:33
I like this reason as it complicates what my system is doing, but I don't see why I can't run a re-set of the password at that moment (it could even be as simple as the "verify change with your password" screen).
 2010-07-27 19:19:57
You can also use registration date. It's not so likely to change :)
m01  2010-07-27 19:22:59
@chris_I: I agree with user257493, if they change the username, just store a newly encrypted password at the same time.
Chris Lively  2010-07-27 19:23:02
@user257493 Yes, if your users are ok with that, and if the salt has to be transmitted openly anyway, then it's almost as good as a random salt. (It's theoretically possible, that somebody precalculates a table with common user names.)
Chris Lercher  2010-07-27 19:23:27
@m01 I really like your idea, it's much less likely to be known the microsecond time that the sql string building took place on my server.@chris_I The design right now does have them in the open, which is somewhat unfortunate (and why I'm asking).
 2010-07-27 19:29:56
@user257493 I agree with David Thornley, that it's ok to have them in the open. The secret is the password. Trying to add security by hiding the salt is a little bit obscure anyway. I like m01's idea, too!
Chris Lercher  2010-07-27 19:34:19
+2  A: 

I don't see a problem with utilizing the username as the salt value.

A more secure way of storing passwords involves using a different salt value for each record anyway.

If you look at the aspnet_Membership table of the asp.net membership provider you'll see that they have stored the password, passwordsalt, and username fields in pretty much the same record. So, from that perspective, there's no security difference in just using the username for the salt value.

Note that some systems use a single salt value for all of the passwords, and store that in a config file. The only difference in security here is that if they gained access to a single salt value, then they can more easily build a rainbow table to crack all of the passwords at once...

But then again, if they have access to the encrypted form of the passwords, then they probably would have access to the salt value stored in the user table right along with it... Which might mean that they would have a slightly harder time of figuring out the password values.

However, at the end of the day I believe nearly all applications fail on the encryption front because they only encrypt what is ostensibly one of the least important pieces of data: the password. What should really be encrypted is nearly everything else.

After all, if I have access to your database, why would I care if the password is encrypted? I already have access to the important things...

There are obviously other considerations at play, but at the end of the day I wouldn't sweat this one too much as it's a minor issue compared others.

Chris Lively  2010-07-27 19:34:21
The password is very important, because many users use the same password for multiple systems!
Chris Lercher  2010-07-27 19:37:34
hashing != encryption, hashing is more a service to your users. Since hashing by definition is not reversible you are protecting your users password from even possible insider snooping. Encryption on the other-hand cannot protect from snooping by insiders with a key. Technically, if you don't plan on your database ever being stolen why not just store the passwords in cleartext?
joshperry  2010-07-27 20:07:15
@joshperry: I was actually arguing the other way around. You should **plan** on your database being stolen which is why the whole thing should be encrypted, not just the passwords.
Chris Lively  2010-07-27 20:11:26
Chris, usernames are entirely predictable, so they'd be vulnerable to a rainbow table generated for that username.
Steven Sudit  2010-07-27 20:14:23
@Steven: But the rainbow table would only apply to that one record in this one database. The purpose of a salt is to prevent rainbow tables from being applied to ALL the records. In effect, a rainbow table would have to be compiled for each username. This is simply not feasible as you are talking about generating between 8GB and 80GB of rainbow data PER LOGIN NAME. The time it would take to do this is nontrivial and goes up with password length.
Chris Lively  2010-07-27 23:36:11
@Chris: You're a nice guy, but you don't have a criminal mind. You only need to hack one account, which has a predictable name: Administrator.
Steven Sudit  2010-07-28 00:28:54
@josh: Good point. In fact, the biggest vulnerability the user has is that they keep transmitting their password. If the system sends them their salt, they can do the hashing on the client side and send only the hash over the wire.
Steven Sudit  2010-07-28 00:30:34
@Steven: Provided "administrator" is an actual username in your system, then I agree... Regarding the idea of only passing the hashed version, this is really no more secure than passing in the "plain" password for hashing server side. Either is vulnerable to replay.
Chris Lively  2010-07-28 00:50:22
@Chris: Storing the salted hash prevents an insider from figuring out the users' passwords, but it doesn't stop them from subverting the logon process to log the password before hashing. On the other hand, if we give the salt and a nonce to the client, have the user enter their password, hash it with the salt, and then hash it with the nonce using HMAC...
Steven Sudit  2010-07-28 07:06:25
A: 

This method was deemed secure enough for the working group that created HTTP digest authentication which operates with a hash of the string "username:realm:password".

I think you would be fine seeing as this decision is secret. If someone steals your database and source code to see how you actually implemented your hashing, well what are they logging in to access at that point? The website that displays the data in the database that they've already stolen?

In this case a salt buys your user a couple of security benefits. First, if the thief has precomputed values (rainbow tables) they would have to recompute them for every single user in order to do their attack; if the thief is after a single user's password this isn't a big win.

Second, the hashes for all users will always be different even if they share the same password, so the thief wouldn't get any hash collisions for free (crack one user get 300 passwords).

These two benefits help protect your users that may use the same password at multiple sites even if the thief happens to acquire the databases of other sites.

So while a salt for password hashing is best kept secret (which in your case the exact data used for the salt would be) it does still provide benefits even if it is compromised.

joshperry  2010-07-27 19:59:00
A: 

Random salting prevents comparison of two independently-computed password hashes for the same username. Without it, it would be possible to test whether a person's password on one machine matched the one on another, or whether a password matched one that was used in the past, etc., without having to have the actual password. It would also greatly facilitate searching for criteria like the above even when the password is available (since one could search for the computed hash, rather than computing the hash separately for each old password hash value).

As to whether such prevention is a good thing or a bad thing, who knows.

supercat  2010-07-27 20:00:24
A: 

If you use the username as password and there are many instances of your application, people may create rainbow tables for specific users like "admin" or "system" like it is the case with Oracle databases or with a whole list of common names like they did for WPA (CowPatty)

You better take a really random salt, it is not that difficult and it will not come back haunting you.

Philippe  2010-08-02 13:03:19

related questions

c# how hashtable shrinks when elements are removed from hashtable?
How can a hashtable be bound to a drop down list?
Populate JTable from a Hashtable in Java
Chosing a suitable table size for a Hash.
The fundamentals of Hash tables?
Best way to remove an entry from a hash table
Hashtable.OnDeserialization
C# Collection Data Structure With 1:1 Key/Value Mapping
Simple hashmap implementation in C++
How Do I Choose Between a Hash Table and a Trie (Prefix Tree)?
Cuckoo hashing in C
How many hash buckets
What is the best way to calculate word frequency in VB.NET?
Hashtable implementation for Delphi 5
How can I convert List<object> to Hashtable in C#?
Map an object reference with HashTable
Why are entries in addition order in a .Net Dictionary?
What are hashtables and hashmaps and their typical use cases?
Hashtable in C++?
Can anyone recommend a good Hashtable implementation in Javascript?
Persistent Binary Tree / Hash table in .Net
How do you implement GetHashCode for structure with two string
Literal hashes in c#?
Java hashmap vs hashtable
Print out the keys and Data of a Hashtable in C# .NET 1.1