Menu
I'm using Adam Griffiths's Authentication Library for CodeIgniter and I'm tweaking the usermodel.
I came across a generate function that he uses to generate tokens.
His preferred approach is to reference a value from random.org but I considered that superfluous. I'm using his fall back approach of randomly generating a 20 character long string:
$length = 20;
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$token = '';
for ($i = 0; $i < $length; $i++) {
$token .= $characters[mt_rand(0, strlen($characters)-1)];
}
He then hashes this token using a salt (I'm combing code from different functions)
sha1($this->CI->config->item('encryption_key').$str);
I was wondering if theres any reason to to run the token through the salted hash?
I've read that simply randomly generating strings was a naive way of making random passwords but is the sh1 hash and salt necessary?
Note: I got my encryption_key from https://www.grc.com/passwords.htm (63 random alpha-numeric)
669
Recap. A cryptographic salt is made up of random bits added to each password instance before its hashing. Salts create unique passwords even in the instance of two users choosing the same passwords.
Salts must be unique. Randomness (with a "good" random generator) is sufficient to ensure uniqueness.
Salted secured hash algorithm helps protect password hashes against dictionary attacks by introducing additional randomness. Password hash salting is when random data – a salt – is used as an additional input to a hash function that hashes a password.
It is common for a web application to store in a database the hash value of a user's password. Without a salt, a successful SQL injection attack may yield easily crackable passwords. Because many users re-use passwords for multiple sites, the use of a salt is an important component of overall web application security.
Adding Salt to Hashing: A Better Way to Store Passwords. A salt is added to the hashing process to force their uniqueness, increase their complexity without increasing user requirements, and to mitigate password attacks like rainbow tables.
Finally, unique salts also make it impractical to use precomputed hash look-up tables (like the so-called "rainbow tables") to speed up password cracking, since, essentially, a separate table would be needed for every user.
If someone looked at the full list of password hashes, no one would be able to tell that Alice and Bob both use the same password. Each unique salt extends the password farm1990M0O and transforms it into a unique password. In practice, we store the salt in cleartext along with the hash in our database.
Generating random salts is easy and fast. Many password hashing libraries, especially the bcrypt ones already do it for you. There really isn't a point in rolling your own scheme even if it's just as secure. Let's face it, we are all lazy people aren't we? :P Why reinvent the wheel? Show activity on this post.
Salting a hash is used to decrease the possibility of collision and ensure that the hash can't be found in a database (like this) - if everybody is using md5() for storing their passwords, then a password file/database could be "de-hashed" by looking up the md5'd value of the password.
Using a salt, there is an added unknown element to the hash which means the code for generating the salt must also be known to try and brute force the hash. In the context of generating a random password, I can't see any point in salting the hash as the password data is random anyway.
64
Main reason for salting hash functions is to complicate dictionary attacks. And salting avoids discovery of same passwords, since they would produce the same hash.
Another use of hash functions is in pseudo-random number generators - where your code is trying to do.
True randomness is not an easy thing to achieve, and pseudo-random generation can be tricky. The code you explained seems to be trying to get the 'best' randomness from random.org and it's fall-back pseudo generation is trying to do the right thing.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
