I have developed a web application for work, used PHP for the server side and just HTML/CSS client side.
My question revolves around the fact that i store the user passwords on a MySQL db. These passwords are hashed before being inserted into the db, so that the db contains the hashes, not the actual passwords.
I stumbled upon a blog about "secure hashes in PHP using salt" (http://pbeblog.wordpress.com/2008/02/12 ... sing-salt/). At first i was interested because i happen to work for a group of individuals who are not computer savvy. They have trouble remembering the simplest of passwords.
The idea of the blogger is to add a salt to the simple password a user may choose, and that salt will make the easy password a stronger password if a strong salt is used. (not a new idea)
I agree that it is better to save hashes of the password to the database and not the actual password.
However, from how i looked at it, i can't see how using a salt can help strengthen a password in order to help prevent brute forcing or dictionary attacks.
For instance, USER1's password is "dummy", password is hashed using MD5 with a salt of "!@#$" and stored in the DB.
Now to access the account, USER1 supplies the username and types his password, "dummy". The php application applies the salt and hashes it, then checks DB for match, which it does, so USER1 is logged in.
My point is, the salt here doesn't help to make a sloppy password stronger if the same salt is applied to any password supplied. If i eventually guess that the password is dummy and supply it, it doesn't matter that i don't know what the salt is.
My question is, is that the only way the salt can be used? To help secure the password in the DB? Or is there another use to it that does help make a password stronger?
If it did help i suppose other applications wouldn't have such stringent password complexity requirements. They would just accept any weak password and apply a strong salt to it. Doesn't seem right unless it can be used in a way i am not aware of.
Appreciate any input.