Topic: Can anybody explain the basic idea behind password salt

ok... some little extra-data is added to the password in order to avoid brute-force, rainbow-tables, dicionaries, etc.
But i didnt got yet ( despite all the articles i red about it out there ) how da heck does the salt is put together with the unencrypted password to match the final hash.

Like, when i login into a punbb 1.3 forum,  i insert my passowrd, where is the salt stored in order to be added to my password so it can be checked?

Just in case somebody feel tempted to answer with a wikipedia link, i red this article before i post this message
http://en.wikipedia.org/wiki/Salt_%28cryptography%29

Re: Can anybody explain the basic idea behind password salt

http://blog.punbb.org/2007/02/21/hashing-passwords/

Not wikipedia big_smile

Re: Can anybody explain the basic idea behind password salt

That's actually the article i was reading when my doubts came up. I interrupted then the reading to, once and for all, understand the salt thing.

Now i red the whole article anyway and got to understand how the punbb password hashing system works. But i am still wondering about my biggest doubt:

Every single article i read about this ( including that blog entry ) points the big danger: database leaking.
If password leaking is the "attack"  one should be protected of, in case it happens, i can't see how storing a hash in the very same database improves security.

I take the chance to drop another related question:
The hashed ( with salt ) passwords in a *nix system are stored in a passwd file. Where is the location where the salt is typicaly kept?

Re: Can anybody explain the basic idea behind password salt

If you read the comments on that page, you'll see why it helps tongue
I really can't explain it much better smile

Re: Can anybody explain the basic idea behind password salt

Comment #6 focus what i just posted here and comment #7 gives the explanation there is to give.

Mmmm there is some improvement in security, an attacker would have to build a rainbow-table for each salt. So it would have to focus on one ( or more ) specific user rather then trying to find colisions in whatever data he/she hijacked.

We all should keep in mind that this wont stop a brute force attack if the attacker intends so ( and can perform it of course )

Re: Can anybody explain the basic idea behind password salt

Nothing is 100% safe tongue

Re: Can anybody explain the basic idea behind password salt

pedrotuga: So, do you want me to try and answer something else? smile

Re: Can anybody explain the basic idea behind password salt

Smartys wrote:

pedrotuga: So, do you want me to try and answer something else? smile

Dont get me wrong. Far from me saying that this is new hashing is useless.
I meant that in general people are way too obsessed about security. The last does not imply the first.

Re: Can anybody explain the basic idea behind password salt

pedrotuga wrote:

The hashed ( with salt ) passwords in a *nix system are stored in a passwd file. Where is the location where the salt is typicaly kept?

I believe the salts are stored in what is called a shadow file. At least, that's how I think Linux does it.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Can anybody explain the basic idea behind password salt

pedrotuga wrote:

I meant that in general people are way too obsessed about security.

Yes, but people are obsessed about security in all the wrong ways. They install mammoth software firewalls, anti-virus, anti-spyware and shit like that instead of using a bit of common sense.

In the case of PunBB though, I believe we need to be a bit obsessed. We're developing something that other people are going to use, and we're distributing it with the source code wide open.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Can anybody explain the basic idea behind password salt

Rickard wrote:
pedrotuga wrote:

I meant that in general people are way too obsessed about security.

Yes, but people are obsessed about security in all the wrong ways. They install mammoth software firewalls, anti-virus, anti-spyware and shit like that instead of using a bit of common sense.

In the case of PunBB though, I believe we need to be a bit obsessed. We're developing something that other people are going to use, and we're distributing it with the source code wide open.

I agree with bot of those. This discussion was not refering to punbb in particular. That's why i said i don't think this new hashing is useless.
The blog entry just made me think about all this existencial security doubts i had. Thank you three for the answers smile

Re: Can anybody explain the basic idea behind password salt

pedrotuga wrote:

But i didnt got yet ( despite all the articles i red about it out there ) how da heck does the salt is put together with the unencrypted password to match the final hash.

Check out the login.php file: http://dev.punbb.org/browser/branches/p … /login.php

$form_password_hash = sha1($salt.sha1($form_password));