Is a static salt enough when storing passwords?

David Carr

2 min read - 28th Jul, 2012

No is the short answer, equally having random salts stored in the database is not that much better if the database is accessed it can still without too much trouble be run through brute force and get the passwords I've come across what seems to be a far more secure way using bcrypt

"bcrypt is an hashing algorithm which is scalable with hardware (via a configurable number of rounds). Its slowness and multiple rounds ensures that an attacker must deploy massive funds and hardware to be able to crack your passwords. Add to that per-password salts (bcrypt REQUIRES salts) and you can be sure that an attack is virtually unfeasible without either ludicrous amount of funds or hardware.

bcrypt uses the Eksblowfish algorithm to hash passwords. While the encryption phase of Eksblowfish and Blowfish are exactly the same, the key schedule phase of Eksblowfish ensures that any subsequent state depends on both salt and key (user password), and no state can be precomputed without the knowledge of both. Because of this key difference, bcrypt is a one-way hashing algorithm. You cannot retrieve the plain text password without already knowing the salt, rounds and key (password). "

There's a class on Stack Overflow writtem by Andrew Moore that looks like it will do the job

I'm in the middle of writing it into my users class for my latest CMS going to be slightly more work but if it means its more secure it will be worth it.

Add a comment

Copyright © 2006 - 2024 DC Blog - All rights reserved.