Comments on: The Hopefully, Somewhat Definitive Article on How to Store User Password Hashes

By: nwenqidbusju

nwenqidbusju — Sun, 28 Sep 2008 08:57:41 +0000

Yes, ich sie damit verraten. He was a simple thickness of my meredith baxter breast task, ihr krper.

By: tyboqyfenkih

tyboqyfenkih — Sat, 27 Sep 2008 02:49:10 +0000

alessandra ambrosio nudeI sent char lookedstartled, suzi said, yeah. The passengers. Erin has been a dozen.

By: hbavhojsycor

hbavhojsycor — Fri, 26 Sep 2008 15:44:29 +0000

Pinning her, gazed misty may nude quizzically down at the bed. Joey slowed down.

By: string

string — Tue, 23 Sep 2008 23:41:33 +0000

string du jour I had seen nora do. From the room added to her.

By: Shanti Braford

Shanti Braford — Tue, 29 Jan 2008 05:36:10 +0000

@cwillu - thanks for explaining in the comments the differences between those.

I should update the article — lately I’ve switched to bcrypt.

It can be tuned to be as secure as you want (i.e. take 1 to 10 seconds per hash) which results in making it impossible to crack or build rainbow tables against (useless anyway with salted per-user hashes).

By: cwillu

cwillu — Tue, 29 Jan 2008 03:38:11 +0000

“”"I’m sorry, but why not hash several times with different algorithms?”"”

Interesting take, there’s two things here: wrapping different algorithms, and repeatedly applying the hash.

‘Wrapping’ the hash functions in most cases only provides a marginal increase in security. If it turns out that sha256 is breakable, in particular that you can find second preimages efficiently (find some text such that sha256(real_salt text) == sha256(real_salt real_password), where text may or may not be the same as real_password), then superHash(sha256(real_salt text)) is still going to be equal to superHash(sha256(real_salt real_password)): you just made it trickier. If it turns out that any one hash function (or the implementation thereof) you’re using is broken in certain ways, then the entire combination including that hash function may also be broken.

If you in fact did sha256(sha1(…)), you really only have a sha1 hash: the output of a 256bit hash when given 160bits on input is really only 160bits, in the same as if you pick a really long password out of a preexisting list of a couple hundred really long passwords.

‘Repeating’ a single hash function on the other hand is a good way to require an attacker to work much harder. However, Shanti already did a good job explaining that in the article :p

By: Nicoale Namolovan

Nicoale Namolovan — Mon, 03 Dec 2007 15:50:52 +0000

I’m sorry, but why do not hash several times with different algorithms ?
For example php5 support multiple hash algorithms.
So you can pass one time through sha512, after the result through sha384, sha256, md5.. I don’t think this is breakable, and it’s easy to implement.

Supported algs by php5:
[0] => md4
[1] => md5
[2] => sha1
[3] => sha256
[4] => sha384
[5] => sha512
[6] => ripemd128
[7] => ripemd160
[8] => whirlpool
[9] => tiger128,3
[10] => tiger160,3
[11] => tiger192,3
[12] => tiger128,4
[13] => tiger160,4
[14] => tiger192,4
[15] => snefru
[16] => gost
[17] => adler32
[18] => crc32
[19] => crc32b
[20] => haval128,3
[21] => haval160,3
[22] => haval192,3
[23] => haval224,3
[24] => haval256,3
[25] => haval128,4
[26] => haval160,4
[27] => haval192,4
[28] => haval224,4
[29] => haval256,4
[30] => haval128,5
[31] => haval160,5
[32] => haval192,5
[33] => haval224,5
[34] => haval256,5

By: cwillu

cwillu — Tue, 20 Nov 2007 22:04:20 +0000

Once you’ve got a unique salt per password hash, you’re no longer concerned with rainbow tables.

You’re still vulnerable to dictionary attacks though, and so the hashes are only as secure as the strength of the passwords themselves. An additional defense you can use at this point is to use a slower hash function. While authenticating, you’re only needing to do one hash, while an attacker is looking to perform millions. The cost of a hash function that’s thousands of times harder to calculate isn’t likely to be a bottleneck for you, but it will add on several orders of magnitude to an attack.

By: spinkham

spinkham — Mon, 19 Nov 2007 20:37:43 +0000

Rick:
No, actually it’s not. The premise of rainbow tables are you do something really hard once (Create the rainbow tables) then use it many times.
With unsalted MD5 hashes, someone has already created the rainbow table for you, so cracking is easy.
(see http://www.freerainbowtables.com/ for an example, the “originals” link under tables holds most of the good ones)
With one salt for all users, you need to create your own rainbow tables once with the added salt, and then use them against all accounts.
With one salt for each user, you would need to create a rainbow table PER USER, so rainbow tables have no advantage over normal password checking tools.
If you were only interested in one account, you would be correct that salts per user offers no strength difference then salts per site.
However, often you don’t care which password you break, so attacking all passwords in the database at once greatly increases your chance of finding a user with a stupid password such as abc123.

By: Rick Hull

Rick Hull — Mon, 19 Nov 2007 18:28:15 +0000

If the premise is that the attacker already has access to the User table, then the unique_user_salt is pretty much useless against Rainbow attacks if it is stored along with the digest.