Menu
I've been told that email is a bad salt, because it's not unique and connected to the user.
And if a user uses the same password on 2 sites, there will be equal hash.
So, what's wrong with it? what is attack scenario?
Suppose we have both hash and salt. So, other site has the same hash in their database.
How can we do any harm to this user on the other site? Can we at all?
I don't see any possibility, but I am not an expert in security, so, I'd like to hear from ones who are, with practical and concrete answers, of course.
I am not going to break anything. I am asking this question in the context of this one: is email or (registration timestamp) a good salt?
Certain and practical answers, please.
856
As you can see from the above example it is possible to crack passwords that use salts. It just takes much longer and requires more processing time. Hashed passwords that use salts are what most modern authentication systems use.
Password salting involves adding a string of between 32 or more characters to a password and then hashing it. Password salting is one of the most secure ways to protect passwords stored for future authentication without exposing them should your website be breached in the future.
Using ten different salts increases the security of hashed passwords by increasing the computational power required to generate lookup tables by a factor of ten. If the salt is stored separately from a password, it also makes it challenging for an attacker to reverse engineer a password.
The salt doesn't need to be encrypted, for example. Salts are in place to prevent someone from cracking passwords at large and can be stored in cleartext in the database.
The point of a salt is not to be unknown, it is to prevent attackers from amortizing the cost of a brute force or dictionary attack across all users of a site (or even all users of many sites).
Thus, the problem of using a non-random salt like the email address is that it would show an attacker which users are using the same password on several sites, and which would therefore yield access to several accounts at once if cracked via brute force or dictionary attack. For the email address (and everything that is unique per user), this is a rather hypothetical problem since it assumes the attacker has the account data of several sites with considerable overlap in users.
Another problem with using the email address is that users will want to change it - which would be impossible if you use it as salt unless you store it in a separate salt column as well or require people to always change their password together with their email.
156
This is mostly a theoretical question. So, how does "cracking a hashed value" work? There are so called "rainbow tables", that are just list with common words and theire hash value. For salted hashes an attacker needs such tables also with salted hashes. So in theory with unique salts for every user an attacker needs one table for every salt (=> user). If you have a static salt, he "just" needs one table for your db. Its quite expensive to create such tables, so in most cases its not worth to create it just for a single page.
Conclusion: Its (of course) safer, to use unique salts for every user, but on a veeery high level. A static salts is usually "safe enough".
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
