Menu
I am debating using user-names as a means to salt passwords, instead of storing a random string along with the names. My justification is that the purpose of the salt is to prevent rainbow tables, so what makes this realistically less secure than another set of data in there?
For example,
hash( md5([email protected]), p4ss\/\/0rD)
vs
hash( md5(some_UUID_value), p4ss\/\/0rD)
Is there a real reason I couldn't just stick with the user name and simplify things? The only thing my web searching resulted was debates as to how a salt should be like a password, but ended without any reasoning behind it, where I'm under the impression this is just to prevent something like a cain-and-able cracker to run against it without being in the range of a million years. Thinking about processing limitations of reality, I don't believe this is a big deal if people know the hash, they still don't know the password, and they've moved into the super-computer range to brute force each individual hash.
Could someone please enlighten me here?
454
Usernames must never be used as salt values. They are not only predictable but are also heavily overused by the user across several sites. This reduces their security. Since these usernames such as 'admin' and 'root' are very commonly looked up as well, it is easy to crack the hashes and cause a breach of privacy.
Note that most modern hash algorithms, such as bcrypt and Argon2id, salt the password before they get hashed to protect passwords from hash table attacks and slow down dictionary and brute-force attacks. Don't use the username as the salt.
Salting prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them from the database. Password salting increases password complexity, making them unique and secure without affecting user experience.
Not necessary. Just use a hashing function designed to make brute force attacks unperformant, like bcrypt. SHA is insufficient.
You'll run into problems, when the username changes (if it can be changed). There's no way you can update the hashed password, because you don't store the unsalted, unhashed password.
123
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
