How strong do salts need to be? At the moment I use this function to generate a "unique" salt upon user registration: $salt = substr(str_shuffle('0123456789abcdefghijklmnopqrstuvwxyz'), 0, 12); I then hash it with sha1 along with the password. What do you think? PS. I'm not planning on getting MySpace big. ...
So I'm making a website for a game. Nothing that will get popular :P Right now I'm thinking about password security, I'm gonna use salting but instead of adding a new column in account table I was thinking about using the account name as salt since it cant be changed, and is "unique". I mean 2 users cant have the same account name. But...
I was wondering - is there any disadvantages in using the hash of something as a salt of itself? E.g. hashAlgorithm(data + hashAlgorithm(data)) This prevents the usage of lookup tables, and does not require the storage of a salt in the database. If the attacker does not have access to the source code, he would not be able to obtain the...
How much stronger would this be: return sha1($salt.sha1($passwd)); compared to just: return sha1($salt.$passwd); salt is a per-user strong 12 char with random ascii ...
I'm thinking of hashing user passwords with two different salt strings, one stored in the code which is the same for all users and another stored in the database for which each user has their own unique value. Would this be more effective than simply storing the values in the database? Any advice, opinions appreiated. Thanks ...
I have a need to specify a custom salt when encoding passwords with acegi 0.5.2 plugin for grails. I have found a tutorial that shows how to use a ReflectionSaltSource using a parameter of the user (possibly the username). However, I was unable to get that to work and I actually need to be able to control the salt more than just pickin...
I was just going through one of DavidHayden's articles on Hashing User Passwords. Really I can't get what he is trying to achieve. Here is his code: private static string CreateSalt(int size) { //Generate a cryptographic random number. RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); byte[] buff = new byte[si...
I am working on adding hash digest generating functionality to our code base. I wanted to use a String as a hash salt so that a pre-known key/passphrase could be prepended to whatever it was that needed to be hashed. Am I misunderstanding this concept? ...
I want to implement a salt into my login system but am a bit confused on how this is supposed to work. I can't understand the logic behind it. I understand md5 is a one-way algorithm and all of the functions that I have come across seem to hash everything together. If this is the case, how does one get the password back out for compariso...
I was here yesterday and got some really great answers. I took what I got and put together, what I think will be a fairly secure algorithm. I'm having a problem using blowfish with a for loop that generates the salt. I'm using base64 characters and a for loop to get a random string. I want to take this generated string and insert it int...
I stumbled across BCrypt.net after reading Jeff Atwood's post about storing passwords which led me to Thomas Ptacek recommendation to use BCrypt to store passwords. Which finally led me to this C# implementation of BCrypt In the comments on the last link above someone asked "Why do GenerateSalt(30) take for ever, but GenerateSalt(31) se...
I have read the information provided on the PHP Manual Entry for crypt(), but I find myself still unsure of the format for a salt to trigger the Blowfish algorithm. According manual entry, I should use '$2$' or '$2a$' as the start of a 16 character string. However, in the example given later, they use a much longer string: '$2a$07$uses...
This question has to do with PHP's implementation of crypt(). For this question, the first 7 characters of the salt are not counted, so a salt '$2a$07$a' would be said to have a length of 1, as it is only 1 character of salt and seven characters of meta-data. When using salt strings longer than 22 characters, there is no change in the ...
I have implemented the multistage authentication illustrated below. brackets ([ and ]) symbolizes a hash The client has a key and a secret used for authentication. The server has a database table with rows containing a key, salt and a [secret + salt] Client Server | ...
I have heard that the only purpose of a salt is to prevent rainbow table attacks, but surely it must have more value than this? Would it not prevent a dictionary-based attack too? And what about brute-forcing, would a salt be of any use there? And could you explain why, please? Second, suppose I had an algorithm that took the microtime,...
Hi, I would just like your feedback on something. Basically I have a value called $uniqueID which is = ID + First Letter of First Name + First Letter of Last Name + The String "CAN" I have then turned $uniqueID into a salt value as followed $salt = sha1($uniqueID); I have then turned the user's password into a hash value using md5(...
Hello Is it possible to use salted password along with standard HTTP authentication schemes ( FORM or DIGEST ) ? I am using GlassFish, and when I request a protected page, the form or the answer with the nonce are sent back directly by the server. I can't see any obvious way to hook into the server mechanism to insert the salt in the 3...
I have a potential client that set up their website and membership system in ASP.NET 3.5. When their developer set up the system, it seems he turned off the security/hashing aspect of password storage and everything is stored in the clear. Is there a process to reinstall/change the secure password storage of ASP.NET membership without c...
What's the best way to generate a cryptographically secure 32 bytes salt in PHP, without depending on libraries seldom included in typical PHP installations? After some googling I discovered that mt_rand is not considered secure enough, but I haven't found a suggestion for a replacement. One article suggested reading from /dev/random bu...
I'm using a website as a frontend and all users are authenticated with the standard ASP.NET Membership-Provider. Passwords are saved "hashed" within a SQL-Database. Now I want to write a desktop-client with administrative functions. Among other things there should be a method to reset a users password. I can access the database with the...