Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Do I change salt value when changing a user password?

Suppose I store a random salt value for each user. Do I have to generate a new salt value when that user password is changed or do I use the same value for the whole lifetime of that user account?

like image 202
sharptooth Avatar asked Apr 28 '11 12:04

sharptooth


People also ask

Should salt be different for each password?

A new salt should be randomly generated for each user and each time they change their password as a minimum. Don't just rely on a site wide salt for example, as that defeats the point of using a salt in the first place.

What is salt value in password?

Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them. Salting prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them from the database.

Are salts stored with passwords?

A salt is a piece of random data added to a password before it is hashed and stored. Adding a salt to stored passwords is a security process used alongside the hashing of passwords before they are stored.

Should password hashes be salted?

Salts create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.


2 Answers

You should change the salt. The salt is designed to be unique (as most as possible) for all password instances.

If you use the same salt for the old and the new password, then an attacker who sees the old hashed password and the new hashed password can attack both for a cost which is less than twice the cost of attacking one. This is exactly the kind of thing that the salt was designed to avoid (and the salt has no other usage than that).

Of course, the old password, being old, is no longer a valid way to enter your system, but since users tend to reuse passwords, the old password might still be worthwhile (from the attacker point of view). In particular, the user may reuse that old password when he will change his password again (this is what most users do when faced with a system which requires regular password changing: they alternate between two passwords).

like image 55
Thomas Pornin Avatar answered Sep 30 '22 06:09

Thomas Pornin


If the password wasn't weak (and the attacker doesn't know the salt), using a different salt value won't improve your password security if the password is changed, so you can keep the same.

The purpose of salt value is to ensure that different user with the same password don't have the same password hash.

Anyway, suppose that an attacker has previously cracked the user password and knows the salt value. If you change only the password, the attacker could do less computation to break it again, because he already knows the salt.

So maybe it's a good idea changing the salt while setting a new password.

like image 20
Heisenbug Avatar answered Sep 30 '22 04:09

Heisenbug