There is a bunch of basic info on the use of a salt on the web. The wikipedia 
article is a good start. It depends upon where and how you are using it. Mostly 
they discuss using a salt with a hash function. They recommend a long salt. 
They recommend storing the salt with the hashed password. 

User enters their name and password. You look up the salt for their name. You 
hash the password they provided using the salt you have stored for them. You 
compare the hash with the hash you had stored. If they match, bingo.

The salt eliminates the ability for a hacker to use a rainbow table. It is 
trivial to buy a CD of all hashes for all possible password that are 1 to 14 
characters in length. Take a hash, look it up on the CD, and it displays the 
original password that created that hash.

Now … if you use a salt, your hash for that password will not match the hash 
for that password in the rainbow table on the CD. If you have a 32 character 
salt that is different for each password, assuming lower and upper case ascii 
and numbers (26 + 26 + 10 = 62) the number of possible salts for a 32 char salt 
is 62^32. To pre-compute  rainbow table for each 14 char possible password 
would mean 2.27 * 10^57 rainbow tables. Just isn’t practical. So they would 
have to snag your password table, see the salts for each password, create a 
rainbow table for that salt, then do a lookup to see if the hash you stored is 
in the rainbow table. if yes, they know the users password. For the next 
password, new rainbow table. 

So for a password hash, use a 32 char salt, and store the salt along with the 
password hash, and toss the password, don’t store it.

Kee

> On Jun 6, 2018, at 2:52 PM, prothero--- via use-livecode 
> <use-livecode@lists.runrev.com> wrote:
> 
> I’m in LC 9.0.0 and Encryption is discussed, and the code is shown to set a 
> salt. However, the docs say it’s beyond the scope of the docs to explain how 
> to choose a salt. For example, how many characters need to be in a salt. Are 
> any characters permissible? Are all character formats permissible? There is 
> no guidance on what makes an acceptable salt.
> 
> Best,
> Bill
> 
> William Prothero
> http://earthlearningsolutions.org
> 
>> On Jun 6, 2018, at 2:40 PM, Bob Sneidar via use-livecode 
>> <use-livecode@lists.runrev.com> wrote:
>> 
>> The encrypt command in the dictionary has that info. 
>> 
>> Bob S
>> 
>> 
>>> On Jun 6, 2018, at 14:16 , prothero--- via use-livecode 
>>> <use-livecode@lists.runrev.com> wrote:
>>> 
>>> I’ve been having questions about aes 256 encryption lately. I encrypt MySQL 
>>> queries and data ,(in livecode) before sending it to a php script on my 
>>> remote server. The php version returns a warning message that I am not 
>>> using a salt, which reduces security. Ok, but I can’t find info about how 
>>> to create and use salts. What are the parameters needed to make a salt, and 
>>> do I have to do anything to my decode script in php to make it recognize 
>>> the salt? 
>>> 
>>> It would be wonderful if there was a sample code for this.
>>> 
>>> Best,
>>> Bill
>>> 
>>> William Prothero
>>> http://earthlearningsolutions.org
>> 
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode@lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription 
>> preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription 
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode


_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Reply via email to