One Salt Per Hashed Password

July 1, 2008 at 3:13 am · Filed under PHP, security ·Tagged , , ,

Intro
Hashing passwords are a great idea (Note: some people use the terms hashed and encrypted interchangeably). The basic premise is easy: make a hash of a password that only goes one way . . . password –> hashed string. You can’t go from hashed string to password. Then the process of logging in goes like this:

  • take a user-supplied username/password combination
  • run the same hash process on that password
  • take the result and and compare it to what you have in the database

Salt!
What could be even better? Adding a salt, of course! A salt is an additional string/characters that you add to the password before you make a hash of it. This increases the ‘randomness’ of the resulting hash. No longer is it made by just (for example) a weak password like ‘password’, but an extra salt is added to increase the strength.

Doing this, the process to login a user would be as follows:

  • take a user-supplied username/password combination
  • running the same hash process on that password, including the same salt
  • take the result and and compare it to what you have in the database

Even Better
Now, lets say hypothetically that an attacker gains access to your database full of hashed passwords. If they manage to figure out the hash and the salt, they have just gained access to all those passwords. An additional hurdle you can throw at a would-be attacker is making sure you use a different salt on each password. How? Well there’s many ways to do this and you can get creative. One common method is using something such as a username in the salt.

Now, the process would go like this:

  • take a user-supplied username/password combination
  • generate your “dynamic” salt using the person’s username. then use that salt and make a hash of the password
  • take the result and and compare it to what you have in the database

But What If . . .
What happens if the user changes their username? Wouldn’t that make it impossible to then generate the same salt originally used to hash the password? Well, yes. In this case, ask the user to also resubmit their password. Upon changing the username, regenerate the hash as well and store it in the database.

Interesting debate/discussion on this @ devnetwork.


Leave a Comment