.

Web Application Password Security

<<

Knb15

Jr. Member
Jr. Member

Posts: 50

Joined: Tue Feb 23, 2010 10:18 am

Post Tue Jan 25, 2011 8:42 pm

Web Application Password Security

Hey guys,

I have developed a web application for work, used PHP for the server side and just HTML/CSS client side.

My question revolves around the fact that i store the user passwords on a MySQL db. These passwords are hashed before being inserted into the db, so that the db contains the hashes, not the actual passwords.

I stumbled upon a blog about "secure hashes in PHP using salt" (http://pbeblog.wordpress.com/2008/02/12 ... sing-salt/). At first i was interested because i happen to work for a group of individuals who are not computer savvy. They have trouble remembering the simplest of passwords.

The idea of the blogger is to add a salt to the simple password a user may choose, and that salt will make the easy password a stronger password if a strong salt is used. (not a new idea)

I agree that it is better to save hashes of the password to the database and not the actual password.

However, from how i looked at it, i can't see how using a salt can help strengthen a password in order to help prevent brute forcing or dictionary attacks.

For instance, USER1's password is "dummy", password is hashed using MD5 with a salt of "!@#$" and stored in the DB.

Now to access the account, USER1 supplies the username and types his password, "dummy". The php application applies the salt and hashes it, then checks DB for match, which it does, so USER1 is logged in.

My point is, the salt here doesn't help to make a sloppy password stronger if the same salt is applied to any password supplied. If i eventually guess that the password is dummy and supply it, it doesn't matter that i don't know what the salt is.

My question is, is that the only way the salt can be used? To help secure the password in the DB? Or is there another use to it that does help make a password stronger?

If it did help i suppose other applications wouldn't have such stringent password complexity requirements. They would just accept any weak password and apply a strong salt to it. Doesn't seem right unless it can be used in a way i am not aware of.

Appreciate any input.

Thanks!

Knb
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jan 26, 2011 3:12 pm

Re: Web Application Password Security

Knb15,

Two things:

1) Salts are very effective against rainbow tables. Since these tables pre-hash a lot of possible passwords before hand, they would find "dummy" is seconds. But if you add a good salt, they simply won't work (well, the vast majority of the time).

2) They make passwords longer (if the salt is unknown to the attacker). For example, if an attacker gets your database dump from, let say, SQL Injection and he doesn't access to your PHP source code, it will be much harder for him to break "!@#$dummy" than just "dummy". But if he gets access to your source code and find the salt, he still has to go for a brute force attack and can't use rainbow tables.

Hope this answered your question.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Knb15

Jr. Member
Jr. Member

Posts: 50

Joined: Tue Feb 23, 2010 10:18 am

Post Thu Jan 27, 2011 3:50 pm

Re: Web Application Password Security

Yes it did. Thank you H1t Monk3y!

Return to Programming

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software