[aur-dev] [PATCH] Support for salted passwords
Denis Kobozev
d.v.kobozev at gmail.com
Fri Apr 16 09:03:27 EDT 2010
On Thu, Apr 15, 2010 at 3:10 PM, Dan McGee <dpmcgee at gmail.com> wrote:
> On Thu, Apr 15, 2010 at 2:00 PM, Loui Chang <louipc.ist at gmail.com> wrote:
>> Hi Denis. I thought the idea behind salt is that if someone gets the
>> database, they can't crack the passwords because the salt is secret.
>
> That's not fully correct. Salt is not meant to be secret; it is meant
> to prevent the use of rainbow tables or precomputed hashes.
>
> The idea behind salt in this case is for each user's password to be
> hashed with a different salt. This means if someone is to crack one
> person's password, it doesn't help them at all with the remaining
> passwords in that same database that they got their hands on because
> the salt is unique for every user.
Dan is right - salted passwords are used to reduce the efficiency of
rainbow table attacks on the database. I'm no security expert, but it
is my understanding that assigning a random salt to each user is
considered pretty secure. Some implementations are even simpler -
there is a single salt for all passwords in the database, the idea
being that an attacker wouldn't be able to use a readily available set
of rainbow tables and would have to compute his own set for the salt
used. Such implementation is used by CakePHP web framework, for
example.
Denis.
More information about the aur-dev
mailing list