Re: Passwords (HASHED!) store in same table or separate table?

Tue, 11 Dec 2012 16:22:33 -0800 

On Dec 11, 2012, at 5:53 PM, "MB Software Solutions, LLC" 
<[email protected]> wrote:

> "user-specific salt"  --> is that the same as those "secret questions" that I 
> fill out on some websites?  Are those answers my "salt" ?

        No, not at all. A salt is a randomly-generated set of bits that is 
added to the user-supplied password to increase entropy and ensure uniqueness.

        Let's say Alice and Bob are typical security-ignorant users and both 
submit 'password' as their password. When the system stores the hashed 
password, even if it uses a strong hashing algorithm, will store identical 
hashes for both users. Here's an example in python

import os
import hashlib

alice = hashlib.sha256("password")
bob = hashlib.sha256("password")
print "Alice:", alice.hexdigest()
print "Bob:", bob.hexdigest()

# prints out:
Alice: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
Bob: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

# Now add a salt. Typical salt generator is the os.urandom() function. 
alice = hashlib.sha256("password" + os.urandom(16))
bob = hashlib.sha256("password" + os.urandom(16))
print "Alice:", alice.hexdigest()
print "Bob:", bob.hexdigest()

# This prints out:
Alice: 62963cdc0c1bad590bf750e156da8902c0398951142eaee72cebe84633d0f08d
Bob: e735b12b0e8e43633c9fa99011e3241649d0b7b30bd3e78e21bed1a5939e8316

        You can see that without the salt, the hashes are identical. It 
wouldn't be too tough to determine the password using rainbow tables. But with 
the salt, there is nothing to suggest that Alice and Bob's passwords are the 
same.


-- Ed Leafe




_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: 
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the 
author, and do not constitute legal or medical advice. This statement is added 
to the messages for those lawyers who are too stupid to see the obvious.

Reply via email to