Geek Answers Handbook

What is the use of "random" salt over a "unique" salt?

I am currently writing a program, and part of it includes the reliable creation of hashes for storage in the database, and I came across phpass which seems to be highly recommended. In phpass, they seem to go a long length to get a salt that is truly random so that it can be used for hashes (e.g. reading from / dev / urandom).

My question is: what is the advantage of this, and not just using uniqid() ? Don't you just need to make sure that the salts used for hashes are different, not random? Wouldn't the use of a truly random salt really be worse than using a unique salt, as it could potentially cause collisions, and uniqid () would not?

Edit: My question was not about whether or not "true" randomness exists in computer environments, so maybe I messed it up incorrectly, however my question was more about whether the "more" random salt had any benefit more unique than salt.

+4
source share
4 answers

In PHP, the uniqid() function calculates its result based on the current time. This helps to ensure that the values โ€‹โ€‹are unique because they are not twice or twice, however this does not work on multiple servers, since it is purely time-based. Using something temporary is bad, because the number of different values โ€‹โ€‹that uniqid() can create is very limited. Assuming PHP has been used for 25 years, it calculates up to 7.89e + 14 microseconds that have passed, and therefore the same number of values โ€‹โ€‹would be produced for uniqid() .

This is a very large number, however, assuming that we can get a truly random salt, the chance of collision is actually much less than when using uniqid() . Possible symbols that can be used as salt:

 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

This means that we use 64 different characters for a salt of 22 characters, which computes approximately 5.44e + 39 different combinations.

Thus, basically, trying to make something unique, it is actually less unique than if you were using a random source.

0
source

I'm trying to find links to some exploit predicates (and struggling!), But the idea of โ€‹โ€‹a cryptographically random salt, as opposed to a random value, such as that created by uniqid (), is to protect against encryption attacks with encrypted text. A salt with a predictable pattern, such as a unique identifier generated by a pseudo-random number generator, takes some of this variability from ciphertext and, of course, in cryptography, unpredictability is what you are looking for.

Of course, if a cryptographically secure random number generator is available to you in your sample (i.e. RNGCryptoServiceProvider in .NET), you would choose more predictable patterns for this. I will see if I can find good precedents or documents on this subject.

+1
source

Mike, as I said in my other answer, I would not think that this is a salt problem, but if you are really worried about true / pseudo randomness, you can use the numbers from random.org. Look at the difference , a and see how to get true random number in PHP .

-1
source

I think this does not matter, since the salt should be stored together with the hashed password, so the attacker will get the salt anyway, and the attack will be the same no matter how you generated the salt.

(OT discussion: I argued that I did not see the big advantage of using salt to store passwords - as soon as an attacker receives salt for a specific hashed password, he can do dictionary attacks anyway ... it will be slower because the attacker needs to rephrase the dictionary for each salt of passwords, but .. md5 () is fast as hell, and if the attack takes 5 minutes or half a day, what is the real difference ... I donโ€™t feel much safer with salt than without.)

EDIT - conclusion of the discussion : salt makes a big difference in the time required to crack passwords, but do not use md5 () to hash passwords! Use a very slow hash function like bcrypt (), or if you need to use md5 (), call it many thousands of times!

-nine
source

More articles:


All Articles