Salts

Salts Rate Topic:

#1 BritZin

Lord High Guru

Group: Members
Posts: 940
Joined: 02-January 09
Reputation: 72
Gender:Male
Location:United Kingdom
Experience:Web Guru
Area of Expertise:Web Developer

Posted 18 July 2009 - 09:31 PM

Whilst working through a project, I've come across a pondering. I thought i'd ask the commuity, typically, if you're encrypting things, what do you use for an encryption salt? Do you use the data given as it's own salt:
E.g.

$password = "moocow" //From Form
$salt = sha1(md5($password));
$password = md5($password.$salt);

or do you use a random predefined one?
E.g.

$password = "moocow" //From Form
$salt = sha1(md5('aHdnie30834294ndahdnw'));
$password = md5($password.$salt);

Ignore the horiffic use of MD5 :lol:

I'm enquiring for a general survey purpose to see how everyone else does it.

#2 Sam G

Forum Newcomer

Group: Members
Posts: 1,860
Joined: 06-March 09
Reputation: 54
Gender:Male
Location:Dreamland
Experience:Advanced
Area of Expertise:Designer/Coder

Posted 20 July 2009 - 08:40 AM

Salt should always be dynamic. By the way - I hope you aren't using MD5 to encrypt your salt?

#3 skidz

Web Guru

Group: Members
Posts: 1,047
Joined: 24-November 08
Reputation: 135
Gender:Male
Location:Derby
Experience:Advanced
Area of Expertise:Web Developer

Posted 20 July 2009 - 10:47 AM

I'd use a mixture of RAND and UNIQID etc etc to give a dynamic salt! I'd also be using HASH instead of md5

#4 Gibbs

Dedicated Member

Group: Members
Posts: 221
Joined: 14-November 07
Reputation: 1
Gender:Male
Location:North Devon
Experience:Advanced
Area of Expertise:Web Developer

Posted 20 July 2009 - 12:22 PM

I avoid creating a unique salt value as it has to be stored somewhere. I've never understood the logic of storing the salt value (as a column) in a database as it renders it useless should the database be breached. I usually use a value in the database such as the users email which can only be figured out with access to the file system.

#5 Sam G

Forum Newcomer

Group: Members
Posts: 1,860
Joined: 06-March 09
Reputation: 54
Gender:Male
Location:Dreamland
Experience:Advanced
Area of Expertise:Designer/Coder

Posted 20 July 2009 - 01:51 PM

I use dynamic salts but I also don't store the entire password in the database (or in a file) - just certain portions of it.

#6 Jake151

Advanced Member

Group: Members
Posts: 261
Joined: 14-March 09
Reputation: 9
Gender:Male
Experience:Intermediate
Area of Expertise:Designer/Coder

Posted 30 July 2009 - 09:35 AM

Hey

Sorry for what might be taking over the topic but I don't want to create a new one.

Regarding the dynamically created salts how do you create the same salt again so the user can say "log in" I have been looking into this technique for a while but am baffled by it. I have the thought that if the salt is dynamically created then you will not be able to get it back again or do you store it in the database as well? but then thats pointless because if the hacker sees it then they will know all the passwords.

I am quite confused if anyone can help.

Thanks a lot

Jake151

#7 skidz

Web Guru

Group: Members
Posts: 1,047
Joined: 24-November 08
Reputation: 135
Gender:Male
Location:Derby
Experience:Advanced
Area of Expertise:Web Developer

Posted 30 July 2009 - 09:40 AM

The salt would be encrypted (no backwards compatabilty) in the database as would the password so the chances of a hacker getting your dynamic encrypted salt and the encrypted password are very slim.

Especially if you were to use something like sha256 (as a totally over the top example).