Username, Password, Salting, Encrypting, Hash - How does it all work? [duplicate]

Question

Possible Duplicate:
Secure hash and salt for PHP passwords

Iv'e read a lot of posts both in stackoverflow and other websites talking about web security. Such as salting encrypting etc. And I'm kinda not getting it so a simple explanation would be really helpful.

So here's what I know so far. A user logs in types his username and password. The input then goes through a process. Lets say the username and password is combined like for example:

$username = (USERS USERNAME INPUT);
$password = (USERS PASSWORD INPUT);
$userinput = $username . $password;

Then we add some salt.

$salt1 = "13$13aVc!kd";
$salt2 = "4kr$!vlmeoc";

$salted = $salt1 . $userinput . $salt2;

Then we encrypt it.

$encrypted = encrypt($salted);

Then check with the database and if its right user gets logged in.

That's how it works right? But Iv'e read about brute force attack. It guesses the input values right? With the procedure above. Doesn't it shows that the attacker only needs to get the $userinput information correct to get in? He doesn't need to guess the long $encrypted string correct?

Note: Lets say in this situation there's no captcha, no number of tries limit, no lockout, nothing else but the one above.

Note: Be gentle I'm still learning.

Answer 1

If you rule out captchas, try limits, lockouts, et cetera... then yes. You just have to brute force the plain text string.

However, that does take time - at the very least, it's bounded by the rate at which the server will respond to login requests. Even if the developer doesn't add any measures to prevent brute forcing, the server itself can only go through the encryption + verification process so quickly, and can only handle so many parallel requests.

That said, this is why it's important to

• As a user, use a strong, hard to brute-force password
• As a developer, have adequate measures to prevent brute-forcing of your login process

---

Hashing and salting passwords isn't to protect against people who brute force the natural login process (there are other things that protect against that). Instead, they're to protect against potential compromise of the password storage itself (e.g. someone dumping the contents of the database).

Both hashing and salting serve to decrease the speed at which someone with access to the stored passwords can retrieve the plain text string they'd need to be able to go through the natural login process (of your site or other sites, given that passwords are commonly shared between sites) without tripping anti-brute-forcing security measures.

Answer 2

The idea of hashing and salting is more to prevent someone from taking user passwords if the database itself is compromised. If the passwords are stored as salted and hashed strings, the attacker can't just use them to access a user's account on another site.