Password salting
For a long time most PHP developers protected passwords only with the md5() function. Then people started using salting to protect their users passwords from rainbow tables and other naughty stuff.
The way salting works is that you generate a random string of data, and add this to the password before you pass it to the md5() function. The salt is stored in the database, and when you want to verify a password you fetch the salt and add it to the supplied password.
The most common way to add the salt to the password is something like this:
$hash = md5($salt.$password);
The problem is that if the attacker get the hash from the database he also get the salt. He can then start a brute force attack. It will take longer that with an unsalted password, but it can be done.
While working on the password hashing functions for phpSec I developed a way of picking a 'random' position in the password to place the salt, depending on what the password is.
The way this function works is that is first creates a hash of the password, and picks out the first hexadecimal character of the hash. This is converted to a decimal number. This will always be from 0 to 15.
Then, the length of the password is divided by 16, and multiplied with the number found above. This gives us a number that we can use to place the salt inside the password.
Now the attacker has to try his brute force attack with the salt placed in all possible positions, which is far more than in the first example.
Search
Archive
- December 2011 (5)
- August 2011 (1)
- July 2011 (2)
- March 2011 (1)
- February 2011 (2)
- January 2011 (1)
- August 2009 (3)
- January 2009 (3)
- December 2008 (3)
- September 2008 (1)
User login
