Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does using a salt make a password more secure if it is stored in the database?

I am learning Rails, at the moment, but the answer doesn't have to be Rails specific.

So, as I understand it, a secure password system works like this:

  • User creates password
  • System encrypts password with an encryption algorithm (say SHA2).
  • Store hash of encrypted password in database.

Upon login attempt:

  • User tries to login
  • System creates hash of attempt with same encryption algorithm
  • System compares hash of attempt with hash of password in the database.
  • If match, they get let in. If not, they have to try again.

As I understand it, this approach is subject to a rainbow attack — wherein the following can happen.

An attacker can write a script that essentially tries every permutation of characters, numbers and symbols, creates a hash with the same encryption algorithm and compares them against the hash in the database.

So the way around it is to combine the hash with a unique salt. In many cases, the current date and time (down to milliseconds) that the user registers.

However, this salt is stored in the database column 'salt'.

So my question is, how does this change the fact that if the attacker got access to the database in the first place and has the hash created for the 'real' password and also has the hash for the salt, how is this not just as subject to a rainbow attack? Because, the theory would be that he tries every permutation + the salt hash and compare the outcome with the password hash. Just might take a bit longer, but I don't see how it is foolproof.

Forgive my ignorance, I am just learning this stuff and this just never made much sense to me.

like image 859
marcamillion Avatar asked Oct 23 '10 20:10

marcamillion


People also ask

How does salt increase password security?

Using ten different salts increases the security of hashed passwords by increasing the computational power required to generate lookup tables by a factor of ten. If the salt is stored separately from a password, it also makes it challenging for an attacker to reverse engineer a password.

How safe are salted passwords?

Password salting is one of the most secure ways to protect passwords stored for future authentication without exposing them should your website be breached in the future. However, salted passwords must also be iteratively hashed multiple times for this protection to work.

What does salt a password and why is it so important and how is it used to verify salted password?

Salting is simply the addition of a unique, random string of characters known only to the site to each password before it is hashed, typically this “salt” is placed in front of each password. The salt value needs to be stored by the site, which means sometimes sites use the same salt for every password.

Is salt used to safeguard passwords in storage?

Salts are used to safeguard passwords in storage. Historically, only a cryptographic hash function of the password was stored on a system, but over time, additional safeguards were developed to protect against duplicate or common passwords being identifiable (as their hashes are identical).


1 Answers

The primary advantage of a salt (chosen at random) is that even if two people use the same password, the hash will be different because the salts will be different. This means that the attacker can't precompute the hashes of common passwords because there are too many different salt values.

Note that the salt does not have to be kept secret; it just has to be big enough (64-bits, say) and random enough that two people using the same password have a vanishingly small chance of also using the same salt. (You could, if you wanted to, check that the salt was unique.)

like image 142
Jonathan Leffler Avatar answered Sep 20 '22 23:09

Jonathan Leffler