salt

Mysql SHA salt

Hello, I am setting a cookie something like: $_COOKIE['test'] = SHA1('124'.'mysalt'); Now 124 is my id which i want. So in my mysql table, I am trying to run a query like: $sql = ("SELECT * FROM users WHERE SHA1(`id`) = '".mysql_real_escape_string($_COOKIE['test'])."'"); Problem is how to do I add the "mysalt" to the sql query? Be...

Are hashed and salted passwords secure against dictionary attacks?

I understand that salts make the same password hash to different values. However, salts are usually stored in the database with the password. So let's say I am attacker, here is how I might use a dictionary attack against a salt (note in this example i don't write out 128 bit hashes or salts for the sake of brevity): user_pw = 'blowfi...

Password hashing, salt and storage of hashed values

Suppose you were at liberty to decide how hashed passwords were to be stored in a DBMS. Are there obvious weaknesses in a scheme like this one? To create the hash value stored in the DBMS, take: A value that is unique to the DBMS server instance as part of the salt, And the username as a second part of the salt, And create the concat...

is a GUID a good salt? is my register/login process got any flaw?

If my table inside the database look like: userid uniqueidentifier username varchar(20) password varbinary(max) When the user submit(to register), I send the user/pass to a stored procedure. The stored procedure create a new GUID(Using NEWID()) then I use the HashBytes(sha1) function of SQL Server to create the password based on t...

How would you add salt to your existing password hashes?

I have a database of hashed passwords that had no salt added before they were hashed. I want to add salt to new passwords. Obviously I can't re-hash the existing ones. How would you migrate to a new hashing system? ...

Where do you store your salt strings?

I've always used a proper per-entry salt string when hashing passwords for database storage. For my needs, storing the salt in the DB next to the hashed password has always worked fine. However, some people recommend that the salt be stored separately from the database. Their argument is that if the database is compromised, an attacker...

Password Salt: Additional Best Practices

Like most programmers, I am not an expert on cryptography but I understand the basics. However, a little knowledge can be a dangerous thing, as noted in Jeff's blog post. With that in mind, I understand the purpose of a salt value but I need a little help understanding how to use salt values. I've read in the other posts on this subject...

Salted hashes and password histories

Wondering whether it matters if a salt is unique for a single given user each time the password is changed, or whether it's not a big deal to reuse the same salt each time. I currently generate a new random string as the salt each time a given user updates the password. This way each time the user has a new password their is also a salt...

User Login with a single query and per-user password salt

I've decided to implement a user login using a per-user salt, stored in the database. The salt is prefixed to a password which is hashed with SHA and stored in the databse. In the past when I wasn't using a salt I would use the typical method of counting the number of rows returned by a query using the user inputted username and passwo...

How can I generate a vBulletin password salt from a md5 hash?

I'm transferring users from my old database to a vBulletin database. I want a script to do this as it'll take forever otherwise. I have all the user's passwords stored just like md5(password) But of course, this doesn't work with vBulletin due to salts etc. So my code is this: <?Php mydatabase_connect(); $select=mysql_query("SELECT ...

Help me make my password storage safe

How much more safer is this than just md5? I've just started look into password security. Im pretty new with php. $salt = 'csdnfgksdgojnmfnb'; $password = md5($salt.$_POST['password']); $result = mysql_query("SELECT id FROM users WHERE username = '".mysql_real_escape_string($_POST['username'])."' ...

is this ok? salting

Hey i would like do have your input on this I use this to generate unique salts to each of my users when they register (random letters and numbers). how big is the chance that salts will colide? uniqid(mt_rand()); I then use md5 to hash salt, password and email(in that order) together as password and rehash when they log-in. md5($sa...

Salt Generation and open source software

Hello, As I understand it, the best practice for generating salts is to use some cryptic formula (or even magic constant) stored in your source code. I'm working on a project that we plan on releasing as open source, but the problem is that with the source comes the secret formula for generating salts, and therefore the ability to run ...

Is it okay to store salts with hashes?

My understanding is that a salt is not intended to be secret, it is merely intended to be different from any centralized standard so that you can't develop a rainbow table or similar attack to break all hashes that use the algorithm, since the salt breaks the rainbow table. My understanding here might not be completely correct, so corre...

create random sha1 salt with javascript

Hi! can anyone recommend a good method to create a sha1 salt using javascript ? ...

Comprehensive information about hash salts

There are a lot of questions about salts and best practices, however most of them simply answer very specific questions about them. I have several questions which feed into one another. Assuming a database is compromised a per user salt prevents the use of generic rainbow tables to crack passwords. A separate rainbow table would have ...

Is forcing complex passwords "more important" than salting?

I've spent the past 2 hours reading up on salting passwords, making sure that I understood the idea. I was hoping some of you could share your knowledge on my conclusions. Say the salts on a system are 12 characters. If i'm an attacker, I don't have to create a rainbow table of all the combinations of those 12 characters with each entr...

php secure login

what do you think about this login procedure? is it pretty safe? When they login i first check that the username exist, if it does i grab the salt (every user have unique salt) from the user, that i re-hash with posted password $pass = hash('sha256', $salt . $posted_password); and then i just compare with $check = mysql_query("SELE...

Any value in salting an already "strong" password?

Is there any benefit in salting passwords for a strong, unique (not used for other applications by the user) password? Salting (as I am aware) protects against rainbow tables generated with a dictionary or common passwords. It also protects against an attacker noticing a user with the same hash in another application. Seeing as a stron...

Salting Algorithm Strength

What are the advantages / disadvantages of those 3 methods to create a salt? $salt = md5($password); $salt = sha1(md5($password)); $salt = generate_random_number(); Computing hash: $hash = sha1($salt + $password); ...