#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2012
    Posts
    8
    Rep Power
    0

    Question Password encryption


    Hy 2 all,

    I have some questions about password security that I haven't been able to find an answer yet.
    Hopefully you guys know.

    Here it goes:

    1. Is it better to hash(sha2) the password and then salt it or salt it and than hash it ?
    2. I'm guessing that using a random salt is better than the same salt used for every password.
    3. How can you generate a different random salt for each password ? I mean how will the login page know which random salt to mix with the hashed user inserted password and then to compare it with the password stored in the db. (an example would be great(for both: generating and authentication)
    4. I saw some codes in which the salt and/or hash and/or password was split into two (ex: hash.salt1a.password.salt1b or password1a.salt.password1b or salt.hash1a.password.hash1b etc.) Is this a good idea ? Is it really more secure ? If so which would be more secure (splitting the password, the hash or the salt) ?
    5. Is double hashing (ex: (sha1(md5($password))) any good ?
    6. I've been reading something about password salt and pepper ?? What exactly is pepper ? Is it some sort of second salt ?

    If somebody could enlighten me about these questions, that would be great.

    Thanks in advance!
  2. #2
  3. Code Monkey V. 0.9
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Mar 2005
    Location
    A Land Down Under
    Posts
    2,126
    Rep Power
    1990
    Originally Posted by nameless.1
    1. Is it better to hash(sha2) the password and then salt it or salt it and than hash it ?
    Salt first, then hash. salting after hashing won't have any effect on the hash itself so there's no point doing any sort of salt after the fact.

    Originally Posted by nameless.1
    2. I'm guessing that using a random salt is better than the same salt used for every password.
    Yes.

    Originally Posted by nameless.1
    3. How can you generate a different random salt for each password ? I mean how will the login page know which random salt to mix with the hashed user inserted password and then to compare it with the password stored in the db. (an example would be great(for both: generating and authentication)
    I use a function that returns a string of random characters. That salt value is stored with the users record with the password. There's not a lot else that can be done because as soon as you generate a new salt value, your hashed password is no longer correct.

    Originally Posted by nameless.1
    4. I saw some codes in which the salt and/or hash and/or password was split into two (ex: hash.salt1a.password.salt1b or password1a.salt.password1b or salt.hash1a.password.hash1b etc.) Is this a good idea ? Is it really more secure ? If so which would be more secure (splitting the password, the hash or the salt) ?
    Yes, it's a very good idea. A lot of systems will use this so that in conjunction with the random salt that's stored for each user, there's also a system-wide salt value that's used as well. That way you need both values before the correct hash can be computed. As far as a difference between splitting the salt and splitting the password, I don't believe that it would make a great deal of difference as salting the password in the first place takes care of most of the issues of "insecure" passwords.

    Originally Posted by nameless.1
    5. Is double hashing (ex: (sha1(md5($password))) any good ?
    No. In some cases doing multiple hashes actually reduces the security of the hash value. Stick with doing it once through the most secure method that you have access to on your system.

    Originally Posted by nameless.1
    6. I've been reading something about password salt and pepper ?? What exactly is pepper ? Is it some sort of second salt ?
    I haven't heard of that before, but I'd think the same as you, it's just another terminology for using two salt values at the same time.
  4. #3
  5. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,179
    Rep Power
    9398
    Copied into Sec & Crypto from PHP. I guess this thread can be more about the crypto and less about the PHP.


    4. A popular one is HMAC, which is roughly
    Code:
    hash(salt1 + hash(salt2 + value))
    6. "Pepper" tends to refer to a constant (but random) value defined for the entire system. While the salt gets stored alongside the hash the pepper is recorded somewhere else, and without both of them the hash can't be reversed into the/an original text.
    Last edited by requinix; April 30th, 2012 at 01:32 AM.

IMN logo majestic logo threadwatch logo seochat tools logo