Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it a good idea to update hash salt every login?

Tags:

security

php

hash

salt

I want to make a secure website. Is updating the password salt every time a user logs in a good idea?

Edit: I additionally use a global salt, which is hard coded.

like image 337
Mikołaj Rozwadowski Avatar asked Dec 13 '12 14:12

Mikołaj Rozwadowski

People also ask

Should salt be different for each password?

It is important to note that each user's password should have its own unique salt; otherwise, the salting process simply makes the password longer without impeding hackers' attacks. With an additional step of salting, the authentication process will be a little bit different.

Should you salt and hash usernames?

By using usernames as salts, we provide attackers with enough information ahead of time to weaken the system's security. With random salts, work to crack the password hashes can only begin after the target system has been compromised.

Why is it important to add salt on your password?

A cryptographic salt is made up of random bits added to each password instance before its hashing. Salts create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.

Are salted passwords safe?

Salting prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them from the database. Password salting increases password complexity, making them unique and secure without affecting user experience.

1 Answers

No, it makes no sense at all.

The purpose of salting hashes is to make them unique even if the original password is the same. This avoids e.g. rainbow table attacks or re-using a stolen hash on another website where the hash is sufficient to login (happens with bad remember-me implementations).

Assume an attacker got the stored password hash from your database. This usually means that he knows both the salt and the final hash. Now he can already brute-force this single password. Assuming there are no collisions he'll end up with the actual password of the user when the brute-force attack succeeds. And that one will work no matter what salt is used at this moment.

For more information about salting I suggest you to read this excellent answer on IT Security

like image 160
ThiefMaster Avatar answered Sep 22 '22 07:09

ThiefMaster
Sign in to Comment

Related questions

PHP - Watermark PNG Transparency/Alpha
MySQL inline if statement
Use PHP to count images in specific subdirectories
Conditional JOIN Statement in MySQL
How do I stop PHP from sending data to client while still running PHP code in server?
Magento Catalog Price Discount rules not apply in Product detail page
NicEdit data not in POST
if (!empty($_POST)) not working
Different Results for json_encode() PHP
check if javascript is available and redirect if javascript is not available [duplicate]
Replace multiple words with Str_Replace
PHP converting to boolean using '!!'
how to check if a date is three days before today
array_search() not finding 0th element [duplicate]
Using recursion to build navigation
How to display an BLOB image stored in MySql database?
Access Atlassian Jira REST API to run super simple report on a filter
How can I pass a parameter with submit button on form
How to hide a template in Wordpress? [closed]
php constant can be referenced but defined() returns false

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!