Development Discussion Board

[bantu]

Hello bantu,
no, this doesn't increase security.

How? Source for this statement?

It clearly does. When there is a SQL injection I get all the salts and all the user password hashes.

Your proposal:
1 salt
u user hashes

I take my dictionary with w words and hash all the words with the hash function and the one salt.

Complexity for hashing all words: 1 * w
Then I compare the results with all u user hashes.

Per-password-hashes:
u salts
u user hashes

Again, I take my dictionary with w words and hash all the words with the hash function, but have to do this for every salt.

Complexity for hashing all words: u * w
Then I compare the results with all u user hashes.

Also, the salt changes when the password changes.

I think it's more secure to have one salt in CONFIG_TABLE and all passwords in USERS_TABLE insteat of saving all salts and all passwords together in one table USERS_TABLE.

Yeah, you can think that if you want. Again, please read up on Password Hashing and Salting. Buy a good crypto book or something.

Still I don't believe that there are rainbow tables with hashes for random strings. Please show me a source for this statement.

Use your favorite search engine and search for "rainbow table".

[brunoais]

Anyway, the best option is a boardwide salt and a user salt.
I actually don't know how better it is against a user salt nevertheless it is better. And we could save that salt in a harder-to-find place like the config.php. It's not full proof but it's harder to reach because the attacker would need to attack the DB and the file system in order to get that salt.

[callumacrae]

Anyway, the best option is a boardwide salt and a user salt.
I actually don't know how better it is against a user salt nevertheless it is better. And we could save that salt in a harder-to-find place like the config.php. It's not full proof but it's harder to reach because the attacker would need to attack the DB and the file system in order to get that salt.

Yeah, this.