0

Why is it safer to store passwords with a different salt for every password? As passwords are hashed after being salted, I see no reason to use a different salt.

Is it easier to brute-force the password with a known salt or something? Or do hackers make their own rainbow tables once they know the salt?

Kind regards

Gumbo
  • 643,351
  • 109
  • 780
  • 844
Tom Broucke
  • 249
  • 2
  • 13
  • 1
    possible duplicate of [Secure hash and salt for PHP passwords](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) – John Conde Jul 04 '12 at 15:05
  • @JohnConde It isn't really a duplicate. This question is about the advantage of having a different salt for each password. – Styxxy Jul 04 '12 at 15:09
  • 1
    It's becoming a popular topic lately, but the general consensus is that salting passwords and using a cryptographic hash is **not enough**. Investigate using Key Derivation Functions instead. – Leigh Jul 04 '12 at 15:17
  • @Leigh: Any further reading for that? – Creshal Jul 05 '12 at 09:52
  • 1
    @Creshal The introductory paragraph for [PBKDF2 on Wikipedia](http://en.wikipedia.org/wiki/PBKDF2) sums up why KDFs are stronger. The [SCrypt paper](http://www.tarsnap.com/scrypt/scrypt.pdf) also has some nice (more techy) info for producing stronger KDFs. – Leigh Jul 05 '12 at 10:03

3 Answers3

3

When you give each password its own individual salt there is no common bond between every salt in every password. So even if the "hacker" cracks one password, he won't have a salt for any other password.

When it comes to using PHP and salting your passwords, you should use a slow encryption, such as crypt. The faster you encrypt something, the quicker the "hacker" can find a way to decrypt it.

You could simply a function that creates a new salt based on a person's username, email, or combination of a few things.

Marcus Recck
  • 5,075
  • 2
  • 16
  • 26
  • In reply to your first paragraph: Even if he knows the salt, he still has to de-hash the password, which is 'impossible' because hashing is irreversible? – Tom Broucke Jul 04 '12 at 15:17
  • He could brute force it using a random salt + password, using the method of encryption you used. Which is why Creshal and I both suggest using a slow encryption method. – Marcus Recck Jul 04 '12 at 15:25
  • @TomBroucke Brute forcing is several orders of magnitude faster when there is only one hash. You "only" have to calculate each hash once with the salt. With individual salts for each user, you have to repeat the entire process for every user. I can't think of an easier way to increase the complexity. – Creshal Jul 05 '12 at 10:16
2

If you use only one salt, the hacker only has to rebuild their rainbow tables once and can use them for your entire database. Duplicate passwords will be easier to find, too.

Use individual hashes and an expensive algorithm (bcrypt, scrypt).

Creshal
  • 493
  • 1
  • 4
  • 15
1

Ok, let's get one thing straight: Salting has nothing to do with rainbow tables. Yes. Say that again. Salting has nothing to do with rainbow tables.

Well, that's not entirely true. Salts are used to prevent time and memory tradeoffs by amortizing the cost of attacking one hash against the cost of other hashes.

In the case of a rainbow table, using a salt means that the entire table is invalidated.

But there are other ways of invalidating an entire table. You could append a static string to each password (which is not a salt). That would defeat rainbow tables...

The Real Enemy

The real enemy here is not rainbow tables. The real enemy is brute forcing. Modern day machines are so fast at brute forcing that it's cheaper to build a gigantic GPU cluster and do advanced brute-forcing than it is to store enough rainbow table to make it worth the slow disk access.

A salt helps defeat bruteforcing because it's unique. Not per password. Not per user, but unique in the universe (statistically at least). This is why you want to use a random number, and not the username, email or anything predictable.

Again, not because we don't want predictability. But because we want statistical uniqueness. If an attacker attacks two sites that both use usernames as salts, he can amortize his attacks against both hashes at the same time (even though both may be using different passwords).

Salts should be random, and per user.

ircmaxell
  • 163,128
  • 34
  • 264
  • 314