2

Possible Duplicate:
Secure hash and salt for PHP passwords

Assuming salt is s random, high entropy, long string, and hash is sha512 or bcrypt, why is hash(password + perUserSalt) considered not enough?

This question originated after reading the PHP's new password hashing API RFC in which the author states that

Hash(password + salt) = it's not fine

Community
  • 1
  • 1
Alex
  • 11,479
  • 6
  • 28
  • 50
  • I've heard similar statements so I've always used `hmac_hash()`. Don't know which is better to be honest :S – bashleigh Dec 29 '12 at 10:48
  • The question is pretty straight. Why is the author considering `hash(pw, salt)` bad. The referenced question doesn't answer that. – Alex Dec 29 '12 at 10:56
  • Because `sha512` calculations are very fast. Have you read the references section of that wiki page? It's all there. – Ja͢ck Dec 29 '12 at 11:02
  • Treat passwords as a one way street. They only go to your machine and not the other way. – Ed Heal Dec 29 '12 at 11:04
  • Thanks @Jack. I've read the references and now the speed concert for brutefore hit me. Could you post your comment as an Answer ? – Alex Dec 29 '12 at 11:13

1 Answers1

0

Many years ago it was usual to hash passwords like this for saving in a database, for example:

$hashedPassword = MD5($password . $salt);

Hardware became faster, and the known fast hash functions like MD5, SHA-1, but also SHA-512 could be brute-forced much too fast. Nowadays [2012] it is possible to calculate about 8 Giga MD5 values with common hardware, to brute-force a whole english dictionary with 500'000 words, you need only a fraction of a millisecond!

That's why key-derivation functions like BCrypt and PBKDF2 where invented. They have a cost parameter and repeat the hashing many times (the cost factor determines the number of iterations). Each iteration will use the original salt to calculate a new hash-value, that's why you have to pass the salt separately to the function and cannot concatenate it before:

$hashedPassword = Bcrypt($password, $salt);

The linked article either wants to explain that a single hash calculation is not sufficient nowadays, or it want's to show that the salt cannot be concatenated with the password before passing it to the hash function.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
  • Thanks for the answer. Should had replaced `+` with `,`. Anyway, how would your answer change if the hash function was `sha512`. Why is it considered not secure enough ? – Alex Dec 29 '12 at 10:58
  • @Alex - Rewrote the answer for future readers. – martinstoeckli Dec 30 '12 at 11:44