Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Re: Passwords, hashes, and salt

by dynamo (Chaplain)
on Jun 24, 2005 at 18:22 UTC ( #469780=note: print w/replies, xml ) Need Help??


in reply to Passwords, hashes, and salt

You are going to need a hash function to store your passwords, and MD5 is (IMHO) decently secure. Moreso than plain old crypt with salt at least. I'm not sure how salt really adds anything useful to the picture - either you have a fixed salt value, in which case it can be ignored as part of the crypt algorithm, or you have a dynamically generated salt value, usually based on some input from the user record or the password itself - which can also pretty much be ignored as part of the crypt algorithm.

It's fairly straightforward how to implement this yourself - check the hashed password against the database for an auth request, hash and store the password when creating a user or changing a password. What else did you need to know?

Replies are listed 'Best First'.
Re^2: Passwords, hashes, and salt
by ikegami (Pope) on Jun 24, 2005 at 18:34 UTC

    Adding salt does two things:

    1) It makes it harder to brute force the password list.

    2) If person A knows his password hashes to the same value as person B's -- some websites stupidly publish users that had the same password hash -- person A could login as person B using their own password without even knowing person B's password. Adding salt would create different hashes (even for the same password), eliminating this problem.

    usually based on some input from the user record or the password itself

    Salts are usually random. Ideally, each user has a different salt. They must definitely NOT be based on the password since the salt must be known. Basing it on the password would leak info about the password.

    Crypt::PasswdMD5 creates a salt for you if you don't specify one, according to the documentation.

Re^2: Passwords, hashes, and salt
by Anonymous Monk on Jun 24, 2005 at 18:31 UTC
    I'm not sure how salt really adds anything useful to the picture
    Salt makes your passwords less vulnerable to dictionary attacks.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://469780]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (4)
As of 2019-05-26 15:32 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you enjoy 3D movies?



    Results (153 votes). Check out past polls.

    Notices?
    • (Sep 10, 2018 at 22:53 UTC) Welcome new users!