i have spent past hour reading on salting , still don't understand how achieved. forgive me if im wrong, way thinking of salting is, storing arraylist of random strings example 100 strings. when user registers, method gets random string array list , retrieves index of string within array insert db, applies random string password user entered , hashes whole string , stores db.
now when user logs in retrieve index arraylist of random strings, applies entered password hash whole string , compare 2 passwords.
is way of salting? classed salting?
it's better have unique salts each user/password hash instead of reusing limited set of 100 salts.
the reason because of way hackers attempt compromise database full of passwords once hold of it, in particular using rainbow tables find known values shared between multiple users.
for example (pseudo-code):
this bad because once hacker cracks first password hash, both users compromised.
//bad way var nonuniquesalt = "some salt value"; var userpass1 = "p@ssword!"; var userpass2 = "p@ssword!"; //bad! true! var issame = (dohash(userpass1 + nonuniquesalt) == dohash(userpass2 + nonuniquesalt)); this way better, because salts different if passwords same, hacker can't use rainbow tables , forced compromise each user's password individually.
//better way var uniquesalt1 = "unique salt 1"; var userpass1 = "p@ssword!"; var uniquesalt2 = "unique salt 2"; var userpass2 = "p@ssword!"; //better! false. var issame = (dohash(userpass1 + uniquesalt1) == dohash(userpass2 + uniquesalt2)); as far salting "algorithm" users mentioned in comments, don't need worry aside trying make salt unique each user (because of reasons described above).
in practice, whatever salt use need stored in db alongside password hash, once hacker has database, he'll have value used salt no matter how go deriving it.
as such, using salt based on guid.newguid().tostring() sufficient having unique values each login.
Comments
Post a Comment