[aur-dev] [PATCH] Support for salted passwords

Dan McGee dpmcgee at gmail.com
Thu Apr 15 15:10:19 EDT 2010


On Thu, Apr 15, 2010 at 2:00 PM, Loui Chang <louipc.ist at gmail.com> wrote:
> On Mon 05 Apr 2010 09:50 -0400, Denis Kobozev wrote:
>> Here's a patch that adds support for storing salted passwords in the
>> database. The salt is a random string for each user and is stored
>> along with the password in the Users table. Salt is created and
>> password is salted when old users log in. New users get salted
>> passwords when they register. What do you think?
>
> Hi Denis. I thought the idea behind salt is that if someone gets the
> database, they can't crack the passwords because the salt is secret.
>
> If you include the salt in the database, then it wouldn't be much more
> difficult to crack than the regular password hash, would it?  So how
> would we go about keeping the salt secret if it's in the same database
> as the password hashes?
>
> I might not fully understand the concept though.

That's not fully correct. Salt is not meant to be secret; it is meant
to prevent the use of rainbow tables or precomputed hashes.

The idea behind salt in this case is for each user's password to be
hashed with a different salt. This means if someone is to crack one
person's password, it doesn't help them at all with the remaining
passwords in that same database that they got their hands on because
the salt is unique for every user.

-Dan


More information about the aur-dev mailing list