Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is best possible way of salting and storing salt?

I have read about password salting, but this might sound a little odd. But how do I store and secure the salt. For example in a multi tire architecture say I use the client machine’s GUID to generate my salt then the user gets restricted to a single machine but if I use random salt it has to be stored somewhere. Few days back I saw an sample application where the hash and the salt was generated on the client system whenever a new user was created and then the salted password and the hash is transmitted to the server where they are stored in SQL server. But if I follow this method and the database is compromised the passwords and the salt values for each password will be available to the X person. So, should I again salt/encrypt the passwords and received salt on server side? What is the best practice of salting?

like image 962
Neel Avatar asked Nov 18 '09 01:11

Neel


People also ask

What is best way to store salt?

The best way to store salt is to keep it away from moisture. So, the salt storage container should not permit water or damp in. The container should be able to stay sealed for a long time without contaminating the salt or allowing moisture in.

Which container is best for storing salt?

It's always better to store salt in airtight glass jar or use salt boxes or pigs made with wood or ceramic. These allow better air flow and keep the moisture out.

What is the best salt to store long term?

Best Type of Salt for Long Term Storage. Pickling salt, canning salt, or kosher salt without iodine or additives are the best types of salt for long-term storage because they won't go bad. Their purity also means they can be used in multiple ways. Sea salt is also a good choice but tends to be more expensive.

Why is it important to store salts in plaintext?

Plaintext passwords are insecure secrets; if someone gains access to that database, it'll spell disaster for your organization and users. Adding a salt to your passwords prior to hashing them makes them more resistant to brute force, dictionary attacks and rainbow table attacks.


2 Answers

Storing the salt unencrypted in the database next to the hashed passwords is not a problem.

The purpose of the salt is not to be secret. It's purpose is to be different for each hash (i.e. random), and long enough to defeat the use of rainbow tables when an attacker gets his hands on the database.

See this excellent post on the subject by Thomas Ptacek.

edit @ZJR: even if the salts were completely public, they would still defeat the benefit of rainbow tables. When you have a salt and hashed data, the best you can do to reverse it is brute force (provided that the hash function is cryptographically secure)

edit @n10i: See the wikipedia article for secure hash function. As for the salt size, the popular bcrypt.gensalt() implementation uses 128 bit.

like image 117
Wim Coenen Avatar answered Oct 11 '22 15:10

Wim Coenen


Please take a moment to read this very good description of salts and hashing

Salt Generation and open source software

like image 41
Jeremy Powell Avatar answered Oct 11 '22 14:10

Jeremy Powell