Under what scenario will a hacker get the table but not the PHP code?

Question

Ok, so I understand the value of the salt in my hashed passwords... kind of.

I am setting up a basic authentication scheme where I am setting passwords and users don't have the ability to set the passwords as something that they might use for another site.

So what is the real utility of the salt?

Under what circumstances could someone compromise my user table but not also get access to the rest of the tables with all the data, or my PHP code that shows the magic?

I'm trying to determine whether use of a salt is really that important in my case.

Thanks

Answer 1

It should be noted that SQL Injection can be used to read files using load data infile. By having a salt value unknown to the attacker, this will force the attacker into making a lot more guesses in order to obtain the plain text. Although salting almost never takes this into consideration. The main idea is two accomplish two things:

1) Two users with the same password will have different password hashes. This is why some salting systems using very small salts, such as only a few bytes.

2) Forcing the attacker to generate larger rainbow tables. In this case you want at least 8 bytes. Often times you see salts the same number of bits as the message digest function which makes pre-computation totally infeasible.

Once the salt is obtained a tool John The Ripper can be used to brute force the password. GPU's are also commonly used to break heavily salted passwords. It should be noted that bcrypt() good at defending against FPGA's and GPU's due to its high memory requirements. Using memory hard functions for password storage can yield a very strong password storage system.