Why should we change the Security Salt value in CakePHP?

Question

While installing cakephp i got below mentioned error:

Please change the value of 'Security.salt' in app/config/core.php to a salt value specific to your application

I know the solution and it is working absolutely fine for me.

But just for satisfying my eagerness, I want to know that Why should we change the Security Salt value in CakePHP? and What if we don't change the value?

Answer 1

The idea of a cryptographic "salt" is that the same password (or other secret value) encrypted in two places doesn't end up with the same encrypted value. This makes it harder to produce a "dictionary" containing the hashes for lots of likely passwords, and quickly check it against a stolen list of password hashes to recover the password.

Strictly speaking, a salt should be generated for each value, and stored with that value - so a dictionary or "brute force" attack might succeed in recovering that single password, but would be of no benefit for other passwords in the system.

However, an application-wide salt can also provide some benefit, by making the hashes generated by one application not match those from another. It's also possible that someone could steal the encrypted data (e.g. a database table of users) without having access to this application-level salt, making the brute-force attack trickier.

These benefits would be completely lost if everyone who installed CakePHP used the same salt, because anyone can download the source code and find the default salt.