views:

36

answers:

2

I've heard of people using this approach and would like to know what the implications are. I just know it's a bad idea!

From what I understand, salting a password before storing the hash in a DB has the primary purpose of making every hashing algorithm unique, and thus requiring a new rainbow table for every user when trying to crack it.

How is a hash weakened in this context if the plain text was just salted with itself?

An example:

plainText = input();
saltedText = plainText + plainText;
hashedText = hash(saltedText);
db.store(hashedText);

And would the following approach have the same weaknesses or any other weaknesses?

plainText = input();
saltedText = hash(plainText) + plainText;
hashedText = hash(saltedText);
db.store(hashedText);
+1  A: 

I think you have misunderstood the purpose of the salt. The salt means that the same data, hashed twice would (usually) give two different results. This prevents attacks where knowing what values can create a given hash gives you the login to everyone who uses the same password.

As such duplicating the test to be hashed will not give you any benefits other than the perf hit of hashing more data.

Spence
If I understand correctly you've addressed the second approach (where hashing happens twice). And in the first approach it means that if 2 passwords are the same, the cracker only needs to crack the one to access the other. This is a weakness, I agree, and it's pretty obvious. Is it the only weakness?
Kevin Thiart
Aha nevermind, I understand what you mean now. There really is no point in adding a salt in this approach then, is there? The same plain text values will always produce the same hash, which eliminates any benefit of salting in the first place.
Kevin Thiart
Exactly. It's great that you're asking the question though, most people don't bother to look and end up using something easy and/or reversible for their passwords and session keys, massive security holes.
Spence
To be honest, I used to just use a constant in my code. I've learnt to use random salts since then, but I still see people (some of them with way more experience than myself) using funny things as salts for no reason. A lot of people are under the impression that the salt must also be kept a secret.
Kevin Thiart
A: 

In both your methods the salt is predictable, so only one rainbow table is needed.

You should use a different salt every time you hash a string:

plainText = input();
salt = getRandomSalt();
hashedText = hash(salt + plainText);
db.store(salt, hashedText);
Guffa
Ignore this - I get it.
DanSingerman