Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Static Salt vs Random Salt - Security PHP

Tags:

security

php

encryption

Is there any working difference between

$hash=sha1($key.$staticSalt);

and

$hash=sha1($key.$randomSalt);

If i use random salt i need to store the random salt in the database, on the other side if i use a fixed salt then no need to use DB !
And if the code can be hacked to see the salt (static) then the hacker will be able to see the database also with the hash and random salt :D
So does it worth it ?
What if i use a salt like @#kiss~89+.&&^me ?

like image 289
Sourav Avatar asked May 08 '11 18:05

Sourav

2 Answers

Random salts have a tremendous benefit. If all accounts in the system use the same salt, an attacker can brute-force calculate hashes for that salt and break into all accounts with just one computational run. If they use different salts per account, brute-force only gets you into one account.

like image 124
ceejayoz Avatar answered Oct 14 '22 01:10

ceejayoz

While best practice for password storage dictates that they should be stored in a hashed format with a unique salt, the original question actually raises a reasonably good point: if you store the salt in a different location to the hashes, the impact of those hashes being disclosed is lowered.

1) If the passwords were only hashed, and stored in a database, and the site suffered from SQL Injection then an attacker could "crack" the hashes

2) If the passwords were hashed with a salt, and the both hash and salt were in the database, and the site had SQL Injection then an attacker could "crack" the hashes, but would require more computational effort (as there is no performance boost from pre-computed tables)

3) If the passwords were hashes with a salt, and the salt was stored elsewhere, then SQL Injection would afford an attacker little leverage to ascertain the actual password.

Scenario 1 is obviously weakest, but the difference in security between 2 and 3 is less clear-cut, and depends on the relative probabilities of SQL Injection vs server-side code disclosure (and associated classes of vulnerability).

What do you trust more - your ability to protect against SQL Injection, or the ability of Apache/PHP/Whatever to protect your server-side content.

Things are never simple and I actually think the idea in the OP makes more sense than other answers give credit for.

(You could use both, a salt stored in database and a "key" if you like stored in the web app source, when generating passwords).

like image 44
foob Avatar answered Oct 14 '22 00:10

foob
Sign in to Comment

Related questions

php mkdir() chmod and permissions
Php Regular Expression repeated characters
PHP array sort using inner val
Recursively left trim a specific character from keys
Wordpress different featured image size for different post types
PHP - Add link to a URL in a string
Semicolon after closing curly bracket in PHP
"At sign" @ in SimpleXML object?
facebook username validation regex pattern
How to add custom HTML Tag with Zend Form Description
Is @$array['possibly_missing_key'] an anti-pattern?
Using PHP DateInterval to create recurring events
How to do a pagination from array?
session timeout in php code and in htaccess?
magento class zend_log not found
Get timestamps of current week
php include_once not working
passing parameters to zend paginationControl partial
Jump to another case in PHP switch statement
How to get the shortest rather than longest possible regex match with preg_match()

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!