Why salt password?

Question

I have secured sql inclusion and file injection, I'm wondering why salting password are needed if no access to server is possible?

How would a cracker get a hashed password from a php server if he does not have access to the server? No local account to the web server, Linux or windows. Also what if he has a web account on the web server?

My thinking is that the hashed password is never seen by cracker because the password comparison takes place on the web server and not on the client computer. so if server is secured then cracker would not be able to get access to his or other hashed passwords, right?

So why hash them in the first place? You could just store them plaintext :p — knittl, Dec 17 '13 at 20:48
*"Why salt password?"* – Would you rather to find out `the hard way`? – *I didn't think so*. So, `salt` it. ;-) an ounce of prevention (`dot, dot, dot`) — Funk Forty Niner, Dec 17 '13 at 20:52

score 5 · Answer 1 · answered Dec 17 '13 at 20:46

5

if no access to server is possible

Plugging every security hole you can find doesn't mean there are no security holes left.

You cannot assume that access to the server is (and will remain) impossible.

answered Dec 17 '13 at 20:46

Quentin

914,110
126
1,211
1,335

There are known knowns – Dec 17 '13 at 21:02

score 2 · Answer 2 · answered Dec 17 '13 at 20:53

2

Assuming you are 100% unhackable is a bad assumption. Hashing your passwords is a simple task so I think the better question is why NOT do it? In short, if OWASP recommends it you should do it. https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet You don't want to end up like LinkedIn: http://queue.acm.org/detail.cfm?id=2254400

answered Dec 17 '13 at 20:53

gfrobenius

3,987
8
34
66

1

And don't forget about the "insider" threat. Disgruntled employee that do have access. https://www.owasp.org/index.php/CLASP_Security_Principles – gfrobenius Dec 17 '13 at 20:57

neminem · Answer 3 · 2013-12-17T21:13:33.027

0

Because you can't be sure that no access to the server is or ever will be possible - you could be wrong. How would a cracker get a hashed password from a php server? A bug, or an exploit, or social engineering, or some guy you hired and then fired and now he's pissed and feels like leaking a data-dump of your database to the internet, or anything. Why not salt your passwords?

edited Dec 17 '13 at 21:13

answered Dec 17 '13 at 20:49

neminem

2,658
5
27
36

Robert Coster · Answer 4 · 2013-12-17T21:02:49.707

0

If you don't salt passwords you run the risk that a hacker will use Rainbow tables (http://en.wikipedia.org/wiki/Rainbow_table) and do brute force on your login until such time as she / he gets the password correct.

edited Dec 17 '13 at 21:02

answered Dec 17 '13 at 20:51

Robert Coster

1
2

There are `"she"` attackers, am sure ;-) – Funk Forty Niner Dec 17 '13 at 20:59
1

Updated for gender neutrality...:) – Robert Coster Dec 17 '13 at 21:03
It's always best. You know how much the ladies hate it when they feel left out ;-) – Funk Forty Niner Dec 17 '13 at 21:04

Why salt password?

4 Answers4