Comments on: Username as password salt http://www.callum-macdonald.com/2008/06/13/username-as-password-salt/ Callum on life Tue, 07 Feb 2012 21:09:30 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Salt’n’Pepper – Username als Pepper zum Salt | PHPFlüsterer http://www.callum-macdonald.com/2008/06/13/username-as-password-salt/comment-page-1/#comment-103176 Salt’n’Pepper – Username als Pepper zum Salt | PHPFlüsterer Thu, 05 Jan 2012 07:47:59 +0000 http://www.callum-macdonald.com/?p=616#comment-103176 [...] Ganz neu scheint diese Idee oder der Gedanke jedenfalls nicht zu sein (siehe hier). [...] [...] Ganz neu scheint diese Idee oder der Gedanke jedenfalls nicht zu sein (siehe hier). [...]

]]> By: Benjamin Carl - PHP continuous-integration test-driven-development qualitätssicherung software-architektur - » Salt’n’Pepper – Username als Pepper zum Salt für den Hash http://www.callum-macdonald.com/2008/06/13/username-as-password-salt/comment-page-1/#comment-44597 Benjamin Carl - PHP continuous-integration test-driven-development qualitätssicherung software-architektur - » Salt’n’Pepper – Username als Pepper zum Salt für den Hash Sat, 13 Mar 2010 21:10:27 +0000 http://www.callum-macdonald.com/?p=616#comment-44597 [...] Ganz neu scheint diese Idee oder der Gedanke jedenfalls nicht zu sein (siehe hier). [...] [...] Ganz neu scheint diese Idee oder der Gedanke jedenfalls nicht zu sein (siehe hier). [...]

]]> By: Tes http://www.callum-macdonald.com/2008/06/13/username-as-password-salt/comment-page-1/#comment-33852 Tes Fri, 20 Feb 2009 18:25:30 +0000 http://www.callum-macdonald.com/?p=616#comment-33852 You are correct that double salting the password with a private salt(username) and a public salt(domain) would require a new brute force attack for each password. However, you are better off using unknown/unknowable salts. If the attacker doesn't know any of the three, their brute force would look like: {guess}{guess}{guess} {guess1}{guess}{guess} . . {guess}{guess1}{guess}... If the attacker does know one or more of the salts: salt{guess}{guess} or salt{guess}salt salt{guess1}{guess} or salt{guess1}salt... So you lower the amount of work they would need to do to break any one particular password by using salts they could know. Here's what I do: I generated a very long random string using every kind of character. I keep it in my php scripts and that is the same for all my passwords. Then I add another row to my users table to store a private salt for each user, which is generated and stored automatically by PHP when the user registers. When a user logs in I take the username they entered, get the private salt with it, add the public salt, hash it and check against the stored password. A hacker would have to compromise both the php script AND the database to get both the salts. Finally, this is all mostly useless if you're using md5 which has been broken in oh so many ways(though not completely). I would use something like whirlpool or sha-1[if you trust the government ;)] You are correct that double salting the password with a private salt(username) and a public salt(domain) would require a new brute force attack for each password. However, you are better off using unknown/unknowable salts.

If the attacker doesn’t know any of the three, their brute force would look like:
{guess}{guess}{guess}
{guess1}{guess}{guess}
.
.
{guess}{guess1}{guess}…

If the attacker does know one or more of the salts:
salt{guess}{guess} or salt{guess}salt
salt{guess1}{guess} or salt{guess1}salt…

So you lower the amount of work they would need to do to break any one particular password by using salts they could know.

Here’s what I do:
I generated a very long random string using every kind of character. I keep it in my php scripts and that is the same for all my passwords.
Then I add another row to my users table to store a private salt for each user, which is generated and stored automatically by PHP when the user registers.

When a user logs in I take the username they entered, get the private salt with it, add the public salt, hash it and check against the stored password. A hacker would have to compromise both the php script AND the database to get both the salts.

Finally, this is all mostly useless if you’re using md5 which has been broken in oh so many ways(though not completely). I would use something like whirlpool or sha-1[if you trust the government ;) ]

]]> By: Jeremy http://www.callum-macdonald.com/2008/06/13/username-as-password-salt/comment-page-1/#comment-31438 Jeremy Wed, 05 Nov 2008 07:16:13 +0000 http://www.callum-macdonald.com/?p=616#comment-31438 Or if you use uniqueidentifiers, use that for the salt Or if you use uniqueidentifiers, use that for the salt

]]> By: Callum http://www.callum-macdonald.com/2008/06/13/username-as-password-salt/comment-page-1/#comment-28148 Callum Sun, 15 Jun 2008 02:52:12 +0000 http://www.callum-macdonald.com/?p=616#comment-28148 @<a href="http://www.callum-macdonald.com/2008/06/13/username-as-password-salt/#comment-28147" rel="nofollow">Morgan Tocker</a>: Thanks for chiming in. It's true that you could build your own hash database, but would it not be prohibitively expensive (time and disk wise)? I thought the beauty of rainbow table attacks is that you precompute the rainbow table once, then you can store it indefinitely. Whereas I haven't heard the argument that the principle of hashing in itself is flawed. I understood that passwords were stored as salted hashes so that a rainbow table would be useless. In effect, an attacker would need to generate a new rainbow table for every user, which would be prohibitively expensive. I think I'll go with something like md5( username . password . domain ). It would be possible from that data to break the passwords, but it would require a *huge* amount of work. @Morgan Tocker: Thanks for chiming in.

It’s true that you could build your own hash database, but would it not be prohibitively expensive (time and disk wise)? I thought the beauty of rainbow table attacks is that you precompute the rainbow table once, then you can store it indefinitely. Whereas I haven’t heard the argument that the principle of hashing in itself is flawed.

I understood that passwords were stored as salted hashes so that a rainbow table would be useless. In effect, an attacker would need to generate a new rainbow table for every user, which would be prohibitively expensive.

I think I’ll go with something like md5( username . password . domain ). It would be possible from that data to break the passwords, but it would require a *huge* amount of work.

]]> By: Morgan Tocker http://www.callum-macdonald.com/2008/06/13/username-as-password-salt/comment-page-1/#comment-28147 Morgan Tocker Sun, 15 Jun 2008 02:45:18 +0000 http://www.callum-macdonald.com/?p=616#comment-28147 It's not devoid of use, but As Alex pointed out - it's probably better to keep that known constant hidden and treat it like a password in itself. That way nobody else can build their own hash database (easily) by just starting from MD5(salt . 'a') .. MD5(salt . 'b') etc. FWIW, the largest hash database I know of is Gdata (http://gdataonline.com/). Presumably from their homepage they have 670M hashes - which is just a bit less than 64^5. The storage cost for 64^5 is 4G just for the hashes - and for 64^6 it's 256G, so it starts to get expensive quickly. It’s not devoid of use, but As Alex pointed out – it’s probably better to keep that known constant hidden and treat it like a password in itself. That way nobody else can build their own hash database (easily) by just starting from MD5(salt . ‘a’) .. MD5(salt . ‘b’) etc.

FWIW, the largest hash database I know of is Gdata (http://gdataonline.com/). Presumably from their homepage they have 670M hashes – which is just a bit less than 64^5.

The storage cost for 64^5 is 4G just for the hashes – and for 64^6 it’s 256G, so it starts to get expensive quickly.

]]> By: Callum http://www.callum-macdonald.com/2008/06/13/username-as-password-salt/comment-page-1/#comment-28140 Callum Fri, 13 Jun 2008 08:43:58 +0000 http://www.callum-macdonald.com/?p=616#comment-28140 An excellent point Alex, I knew you'd chime in with something useful! :) So simply combining the two would not provide adequate protection against rainbow attacks. Very true. But the two combined with a known constant, such as the site URL, would presumably overcome this issue. Each record would be individually unique, and the whole namespace would also be globally unique. An excellent point Alex, I knew you’d chime in with something useful! :)

So simply combining the two would not provide adequate protection against rainbow attacks. Very true. But the two combined with a known constant, such as the site URL, would presumably overcome this issue. Each record would be individually unique, and the whole namespace would also be globally unique.

]]> By: Alex http://www.callum-macdonald.com/2008/06/13/username-as-password-salt/comment-page-1/#comment-28139 Alex Fri, 13 Jun 2008 08:40:38 +0000 http://www.callum-macdonald.com/?p=616#comment-28139 ... only that the username is frequently a known quantity, particularly for users such as 'admin' or 'root' that you might reasonably want to attack. Since the point of salt is to eliminate pre-calculated hashes being used in a dictionary attack, it doesn't help when a set of pre-calculated hashes can be created with the salt 'admin' or 'root'. … only that the username is frequently a known quantity, particularly for users such as ‘admin’ or ‘root’ that you might reasonably want to attack. Since the point of salt is to eliminate pre-calculated hashes being used in a dictionary attack, it doesn’t help when a set of pre-calculated hashes can be created with the salt ‘admin’ or ‘root’.

]]>