19

I've been told that email is a bad salt, because it's not unique and connected to the user.
And if a user uses the same password on 2 sites, there will be equal hash.

So, what's wrong with it? what is attack scenario?
Suppose we have both hash and salt. So, other site has the same hash in their database. How can we do any harm to this user on the other site? Can we at all?

I don't see any possibility, but I am not an expert in security, so, I'd like to hear from ones who are, with practical and concrete answers, of course.

I am not going to break anything. I am asking this question in the context of this one: is email or (registration timestamp) a good salt?

Certain and practical answers, please.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345

7 Answers7

29

The point of a salt is not to be unknown, it is to prevent attackers from amortizing the cost of a brute force or dictionary attack across all users of a site (or even all users of many sites).

Thus, the problem of using a non-random salt like the email address is that it would show an attacker which users are using the same password on several sites, and which would therefore yield access to several accounts at once if cracked via brute force or dictionary attack. For the email address (and everything that is unique per user), this is a rather hypothetical problem since it assumes the attacker has the account data of several sites with considerable overlap in users.

Another problem with using the email address is that users will want to change it - which would be impossible if you use it as salt unless you store it in a separate salt column as well or require people to always change their password together with their email.

Michael Borgwardt
  • 342,105
  • 78
  • 482
  • 720
  • 1
    `it would show an attacker which users are using the same password on several sites` What? Correct me if I get you wrong: you're gonna say what without such a hint (an equal hash), an attacker, **knowing user's password from one site, would not try it on others?** – Your Common Sense Feb 21 '11 at 09:33
  • 6
    @Col. Shrapnel: no, I'm saying that the equal hash shows the attacker which passwords will *definitely* yield access to two (or more) accounts for the price of only one brute-force attack. Of course, if we assume that *most* users use the same password for multiple sites, this is not very valuable information. – Michael Borgwardt Feb 21 '11 at 09:38
  • 1
    @Col. Shrapnel actually he is correct. Thats why salts where only a few bits in size on old Unix systems. – rook Feb 21 '11 at 18:33
  • i'm curious what you have to say about my post. – rook Feb 21 '11 at 18:47
4

This is mostly a theoretical question. So, how does "cracking a hashed value" work? There are so called "rainbow tables", that are just list with common words and theire hash value. For salted hashes an attacker needs such tables also with salted hashes. So in theory with unique salts for every user an attacker needs one table for every salt (=> user). If you have a static salt, he "just" needs one table for your db. Its quite expensive to create such tables, so in most cases its not worth to create it just for a single page.

Conclusion: Its (of course) safer, to use unique salts for every user, but on a veeery high level. A static salts is usually "safe enough".

KingCrunch
  • 128,817
  • 21
  • 151
  • 173
3

The first attack I can think of is:

  • a user has the same salt and password at two sites
  • both sites have a flaw to allow reading the salted passwords
  • one site makes reading a password or brute-force guessing a password easy

An attacker could quickly look at identical salted passwords on both sites and find users with identical passwords at both sites. Then read the password or guess the password on the weaker site, and use it on the more secure site.

Granted, different salts wouldn't make the problem significantly better because all million passwords can be tried eventually. But knowing which users have identical passwords would be much 'quieter' than just blindly trying all the users' passwords on the stronger site.

sarnold
  • 102,305
  • 22
  • 181
  • 238
  • The salt is only relevant in a scenario where the attacker has the password hash and is thus able to run a *local* brute-force attack, i.e. not interacting with the affected site at all (and thousands of times more efficient). – Michael Borgwardt Feb 21 '11 at 09:41
  • What's the difference between weaker site and more secure site? don't they both expose hashes? why to break a password on "weaker" site first? Why can't we just break a hash, shown on the "more secure site"? I see on sense in this scenario. – Your Common Sense Feb 21 '11 at 09:44
  • 2
    @michael Borgwardt, salts have multiple benefits: yours is the most important benefit, but salts are _also_ useful for hiding the fact that users [may have identical passwords](http://en.wikipedia.org/wiki/Password_salt#Additional_benefits). – sarnold Feb 21 '11 at 09:44
  • 1
    @Col. Shrapnel, perhaps one site uses HTTP and the other uses HTTPS. You could simply read the password for a user off the wire from the first site, and if you know which users have identical passwords on both sites, _presto_, you've got _silent_ access to the stronger site. It _is_ a stretch to assume both sites have flaws that expose salted passwords, but I've seen enough SQL injection attacks to believe it's non-trivial amount of sites. – sarnold Feb 21 '11 at 09:46
  • @sarnold: that, too, is only relevant when the attacker has access to the hashed passwords and thus doesn't have to do his brute force or dictionary attacks through the regular interface. – Michael Borgwardt Feb 21 '11 at 09:47
  • @Michael Borgwardt, yes, see the second bullet point in my list. I assumed that fault from the start, and I've seen enough SQL injections to believe that many sites suffer from this fault. – sarnold Feb 21 '11 at 09:48
  • @sarnold, I afraid that to discover such a great secret, one don't need 2 equal hashes. – Your Common Sense Feb 21 '11 at 09:49
  • there is a flaw in your logic. If you've got a user database from "more secure site", ant it is your goal, there is not a single reason to attack weaker site. Got the point? – Your Common Sense Feb 21 '11 at 10:51
  • 1
    @Col. Shrapnel except it can take hours or days to brute-force a salted dictionary but only seconds to read a password off the wire if it is sent in cleartext to a weaker site first. – sarnold Feb 21 '11 at 10:54
  • ah, now I see the point. however, there is not much sense in looking for equal hashes. to look for the equal emails would be more sensible and fruitful, *even* if hashes are different. It worth to try the password anyway, from the hacker's point of view. – Your Common Sense Feb 21 '11 at 11:04
  • 1
    @Col. Shrapnel, glad we finally connected :) you're right, "try the password anyway" is an obvious step, but _noisy_ -- it'll be noticed in the logs when an attacker tries thousands of passwords much faster than usual password failure rates. So finding identical hashes --> identical passwords --> silent abuse. Well, the failure rate will go down :) but I doubt any admins would pay attention. – sarnold Feb 21 '11 at 11:06
  • @sarnold I really doubt that there will be thousands common users between two randomly picked average cities. but that's an assumption anyway, okay. so, unix timestamp going to be better salt? – Your Common Sense Feb 21 '11 at 11:20
  • @Col. Shrapnel, heh, between _cities_, you're probably right! :) I was thinking FaceTube and TwitBook-size sites, millions of folks with doubtless identical passwords... Yeah, Unix timestamp sounds great to me unless you're registering more than a few users per second. – sarnold Feb 22 '11 at 00:21
1

Think of the web sites you've programmed - I bet the most powerful users in these systems have very common usernames like admin, root, etc. As an attacker I can generate a precomputed hash list containing the most common usernames with the weakest and most common passwords - that is, if a web programmer is naive enough to salt their passwords with usernames, my job as an attacker has become much, much easier - the collisions are very predictable.

Using an email address as a salt is better, but the same principle applies. Assuming I've cracked one database that uses an email-based salt I'll have a much easier time cracking every other database that does the same - at least, for email/password combinations that exist across databases. (Given the amount of login reuse, that's a very likely). It's not as simple as with the username salts, but the collisions are out there, waiting to be discovered.

As a programmer what I really want is a password hash that won't collide - ever. A universally unique hash for each user that can't be found in any other database in the world. That's a tall order, but it's doable with a sufficiently long, randomly generated salt.

There's a herd immunity effect in play - using a bad salt makes it easier for attackers to attack similar systems after they've compromised your database. A strong salt will always protect your users and help other userbases from being compromised.

leepowers
  • 37,828
  • 23
  • 98
  • 129
0

Can't really help you in terms of security, but if you look at vBulletin for example, each user gets their own generated salt, which they use the encrypt the password like this:

$password = md5(md5($clear_password) + $salt);

So the salt will be different for each user and any site where vBulletin is running (at least a pretty good chance that it will be different), so the stored password, in turn will be different for each site.

It's not what you were asking for, but something to meditate on :)

YoGiN
  • 127
  • 4
  • To explain a little my previous statement. To implement a random salt is not that big problem. I think that vBulletin guys were thinking the same: it will do no harm to create a random salt - so, we will do it. But my goal is slightly different: Not a protection that I look for, but rather knowledge. I want to confirm that I understand the things right. A point of view from the other side of the frontier, you may call it. – Your Common Sense Feb 21 '11 at 11:33
0

Assume the hacker has both password and salt, AND access to your hashing formula.

This will NOT prevent a dictionary attack, contrary to popular beleif. It will stop a simple dictionary attack, but iterating the dictionary with the salts per user account is perfectly possible.

See: Why do salts make dictionary attacks 'impossible'? for more related information.

This is why when you generate the hash of the password, instead of hashing once with salt, IE:

hashedPW = sha1(rawPassword + salt)

You would do:

hashedPW = sha1(rawPassword + salt)
for i = 0; i < 2000; i++){
    hashedPW = sha1(hashedPW + salt)
}

The multi hash function should take a significant fraction of a second to calculate. This means when the hacker gains access to the database, the dictionary attack then becomes exponentially more time consuming only allowing him to crack a very small % of user accounts.

Community
  • 1
  • 1
Tom Gullen
  • 61,249
  • 84
  • 283
  • 456
  • It's still takes only seconds to break certain password. Isn't it better to allow complex passwords only? – Your Common Sense Feb 21 '11 at 12:21
  • Assume you realise this would have to be calculated for each authentication. Yikes. – Sam Stainsby Feb 21 '11 at 12:28
  • Having password rules that increase the combinations of possible password to as large a set as possible without compromising too much on usability is a delicate balance. But, yes, having password rules is a great way to make dictionary attacks near impossible. However, even with complex rule passwords + salts, these can be brute forced reasonably easily, which is why you rehash them over 1 thousand times to make this extremely time consuming so less accounts are compromised. – Tom Gullen Feb 21 '11 at 12:29
  • 1
    @Sam yes, it is an expensive operation. See http://stackoverflow.com/questions/3566504/why-do-salts-make-dictionary-attacks-impossible for more detailed information on it. It is a good security measure. Authentication is usually a one of irregular calculation though (only at login) so it is an acceptable tradeoff. – Tom Gullen Feb 21 '11 at 12:30
  • Use a longer hash and salt instead. – Sam Stainsby Feb 21 '11 at 12:31
  • @Sam I'm not sure about the inner workings of one way hashing functions, but assuming they do take longer with increased length, you would need an extremely long hash and salt to reach the 'significant fraction of a second' the hashing operation should take according to security experts. – Tom Gullen Feb 21 '11 at 12:34
  • Which security experts would they be? Maybe I know them. – Sam Stainsby Feb 21 '11 at 12:54
  • @Sam The technique is known as key strengthening. It helps prevent against rainbow and dictionary attacks. You asked me to reference security experts. 1) 'Secure Applications of Low-Entropy Keys', J. Kelsey, B. Schneier, C. Hall, and D. Wagner. http://www.schneier.com/paper-low-entropy.html. 2) 'scrypt: A new key derivation function', Colin Percival, BSDCan 2009 http://www.bsdcan.org/2009/schedule/events/147.en.html. 3) Robert Morris the cryptographer was apparently one of the first to apply this technique. Perhaps I didn't articulate myself well enough, but there's some reading there. – Tom Gullen Feb 21 '11 at 13:00
  • @Tom Almost midnight here .. will have to read them tomorrow. – Sam Stainsby Feb 21 '11 at 13:57
  • @Sam With questions such as these there is a lot of confusion over the semantics, usually these questions seem to cover too broad of an area as each technique in regards to security is quite complex. Key strengthening is new to me, I'm not expert, but I feel I understand it and also understand it's logic. You mentioned increasing the length of salts + passwords which didn't make much sense to me, but I did a bit of reading and found it it helps prevent attackers creating rainbow tables which I found interesting. So thank you for teaching me about that, it's an interesting area of computing. – Tom Gullen Feb 21 '11 at 14:10
  • +1 because this does not deserve a downvote, even if it does not really answer the question that was actually asked :) – Michael Borgwardt Feb 21 '11 at 21:38
  • @Tom (while I'm here) I'll probably never get around to reading those papers, but I did skim them. My gist was that this is a way to extend the security without upgrading the hash algorithm. The algorithm you list above is really a naive extension of the hash algorithm, with unproven security properties. I suspect it will be better to instead use a hash with a much large space needed to brute force it, such as SHA-512. – Sam Stainsby Feb 22 '11 at 05:16
-3

If the salt is already known, then you have bigger problems on your hands.

http://en.wikipedia.org/wiki/Rainbow_attack

Nocturnal
  • 683
  • 7
  • 25
  • Thank you. It says *Proper key derivation functions employ salt to make this attack* **infeasible** – Your Common Sense Feb 21 '11 at 10:35
  • Passwords are stored in a hash format in a DB. Some sites add a salt to protect passwords from being brute forced. Hashes have collisions thats why some of the familiar ones are retired, the idea of a Rainbow Attack is to find a keyword that would result to a similar hash. Password = MD5 (Weak if password is something simple) Password+SALT = MD5 (Harder to guess) So yes if you know the Salt and mount a Rainbow Attack on a desired hash you can attack a user password. – Nocturnal Feb 21 '11 at 11:01
  • I'm afraid you don't understand the meaning of the rainbow table. if you find the similar hash of salted password, using such table due to a collision, **it won't help you to reveal password itself**. As for the bruteforce, here is one little problem: to bruteforce a hash, one need to have that hash, isn't it? – Your Common Sense Feb 21 '11 at 11:09
  • You want to reveal the original password itself. Good luck! :) – Nocturnal Feb 21 '11 at 11:13
  • You don't? but how can you use a hash otherwise? – Your Common Sense Feb 21 '11 at 11:23
  • -1, if the salt is sufficiently large than even if it is known then a rainbow table that could crack it would too large for the attacker to generate. By contrast if the salt is very small and the salt is unkown then a rainbow table should have no trouble breaking the hash. – rook Feb 21 '11 at 18:31