1

I understand the idea of hash+salt when I create new entry to dtb. If I have some fixed string for the salt it might not be hard to implement it, but how to do it, when I want to use for example user's birthday as a salt? Saving that password to database is easy, but how to hash this during login? I've googled this piece of code for my applicationContext-security.xml file, where they use username value for salt:

<!-- authentication from database -->
<security:authentication-manager>
    <security:authentication-provider>
        <security:jdbc-user-service
            data-source-ref="dataSource"
            users-by-username-query="
          select username,password, enabled 
          from users where username=?"authorities-by-username-query="
          select u.username, ur.authority from users u, user_roles ur 
          where u.user_id = ur.user_id and u.username =?  " />
    <security:password-encoder hash="sha-256">
        <security:salt-source user-property="username" />
        </security:password-encoder-->
    </security:authentication-provider>

</security:authentication-manager>

So if I understand it correctly, it means, that if I would like to use user's birthday as salt, I would have to have it stored in my dtb, pull it out from dtb and then use it as a salt? It doesn't make sense to me, because if I have in my users table columns username, password, birthday, then the password can be hashed, but for the possible attacker is it quite clear, that the birthday value will be used as salt. Is there something I'm missing or does it really work so?

CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
Martin Dvoracek
  • 1,714
  • 6
  • 27
  • 55
  • Something like [BCrypt](http://stackoverflow.com/a/8528804/241990) is the preferred option these days. The salting is done internally, so you don't have to worry about it, and it's more secure. – Shaun the Sheep Aug 20 '13 at 17:34

2 Answers2

1

The goal of using salts is to protect user's password in case of a database dump from a hacker. Because a hash is a one way conversion (you can't reverse the conversion to get the plain text password) hackers are using dictionary of hash to guess user's password (using common passphrases). So adding a salt will add an additional protection layer against this type of attack.

From wikipedia:

Dictionary attack

Rainbow table attack

Benoit Wickramarachi
  • 6,096
  • 5
  • 36
  • 46
1

The salt is not sensitive information, it doesn't matter if it is disclosed. The salt simply prevents rainbow table attacks on hashes. Note that salt should have a fairly high level of entropy, and the birthday may not be as secure as, say, 32 bytes from SecureRandom.

Qwerky
  • 18,217
  • 6
  • 44
  • 80