Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re^2: Passwords, hashes, and salt

by ikegami (Patriarch)
on Jun 24, 2005 at 18:34 UTC ( [id://469787]=note: print w/replies, xml ) Need Help??


in reply to Re: Passwords, hashes, and salt
in thread Passwords, hashes, and salt

Adding salt does two things:

1) It makes it harder to brute force the password list.

2) If person A knows his password hashes to the same value as person B's -- some websites stupidly publish users that had the same password hash -- person A could login as person B using their own password without even knowing person B's password. Adding salt would create different hashes (even for the same password), eliminating this problem.

usually based on some input from the user record or the password itself

Salts are usually random. Ideally, each user has a different salt. They must definitely NOT be based on the password since the salt must be known. Basing it on the password would leak info about the password.

Crypt::PasswdMD5 creates a salt for you if you don't specify one, according to the documentation.

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://469787]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (5)
As of 2024-04-19 06:36 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found