Security Basics mailing list archives

Re: Hashing passwords

From: Jennifer Wachter <jenny () recurity-labs com>
Date: Tue, 12 Jun 2012 15:28:22 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Hazardous,

The "manuals" say that we should create a salt and then hash it. But, since calculating an hash is a "relative 
simple" operation (in matter of processing power), is hashing two or three times the password (hash over hash) a 
"kind of" secure method or it is as weak as not using salt at all?


I think you got something wrong. A "salt" is not to the procedure of
hashing the password two or more times.
A salt is a randomly generated string that is appended to the plain text
password and then the whole thin is hashed.

for example:
PW: password
salt (random): salt
stuff to hash: passwordsalt
sha1hash for passwordsalt: fde41e5e324b4f932a7ea5a056964ed3de60373d

You have to map the salt to a
The random salt is used to make it impossible (or even very expensive)
to attack the hash with rainbowtables.
If you using salts, similar passwords of different users don't have the
same hash because normally the salt is different.
If you don't use salts, hashing the same password will give you the same
hash. (Sometimes, different users use the same PW).

A good explanation of how salts are used and what they are for on
Wikipedia.[1]

HTH,
Jenn

[1] http://en.wikipedia.org/wiki/Salt_%28cryptography%29
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP10P1AAoJEAxfDBT+GENje4AH/i5bTWcDFwf/eWE1gHvMIob9
DwZJC+ANSH7dsblwd9dmgs/rsnM6V1QD5EoF0R4hwLfmWVq3Sr3mqxLZLY3HKvfz
5Kw8sSWjoKLhMgdy7CBAunyTSJuEO3eQmdcUCUdeXHYFS2wzxSKKrWUpfl1LD0tR
qRssjziV3vP+gxOc6rsk2ThDOnaKmgyZSsfFaWnTJFUPplGpMZ3IzTL/zvT/VmRl
QLnFMZ9Fz9ExvN5qafPSLu/evryegGH8kyekYb1bWj0VtCVBUmdmv/uKPgUkazo2
2SVby17IUw+GtAoG1sXPwHJYY0fGryzrAOV4RGO66kxIpS1xgFjCn1ppifudPKY=
=39uP
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Re: Hashing passwords, (continued)
- - - Re: Hashing passwords Kai Wirt (Jun 12)
    - Re: Hashing passwords Kurt Buff (Jun 12)
    - Re: Hashing passwords Ansgar Wiechers (Jun 13)
    - Re: Hashing passwords Kurt Buff (Jun 13)
    - Re: Hashing passwords Alexander Klimov (Jun 13)
    - RE: Hashing passwords Mikhail A. Utin (Jun 13)
    - Re: Hashing passwords Kai Wirt (Jun 13)
  - Re: Hashing passwords Kai Wirt (Jun 11)
    - Re: Hashing passwords gold flake (Jun 12)
    - Re: Hashing passwords Kai Wirt (Jun 12)
- Re: Hashing passwords Jennifer Wachter (Jun 12)
  - Message not available
    - Re: Hashing passwords Jennifer Wachter (Jun 12)
    - RE: Hashing passwords Dave Kleiman (Jun 12)
- Re: Hashing passwords Leon Jacobs (Jun 13)