Geek Answers Handbook

Should the salt be random to protect the password hash?

I know very little about security (I need to find a basic explanation of the basics), and I'm trying to find a reasonable way to store user passwords in a database using .Net.

Here is my current solution:

private static byte[] HashPassword(string password) { using (var deriveBytes = new Rfc2898DeriveBytes(password, 10)) { byte[] salt = deriveBytes.Salt; byte[] key = deriveBytes.GetBytes(20); return salt.Concat(key).ToArray(); //Return Salt+Key } }

I store the results of HashPassword () in a database. To check the user password, I do this:

 var salt = //1st 10 bytes stored in the DB var key = //Next 20 bytes stored in the DB using (var deriveBytes = new Rfc2898DeriveBytes(password, salt)) { byte[] newKey = deriveBytes.GetBytes(20); if (newKey.SequenceEqual(key) == false) //Check if keys match { return "No Match"; } else { return "Passwords match"; }

My question is that the salt should be random and stored in a database like this, or if I can generate a 10-byte salt and save it in my code and always use the same salt to save myself, keeping the salt in DB and just save the key?

Also, if anyone sees any other problems with what I'm doing, I would appreciate any advice.

+8
security passwords rfc2898
source share
2 answers

My question is that the salt should be random and stored in a database like this, or if I can generate a 10-byte salt and save it in my code and always use the same salt to save myself, keeping the salt in DB and just save the key?

ABSOLUTELY NOT.

You do not understand the purpose of salt, even if you ask this question.

The purpose of the salt is to make it more difficult for an attacker to use a pre-computed hashed shared password table. If the salt is always the same, then the attacker simply pre-computes a hashed shared password table with that salt.

Let me make this clearer. Suppose that an attacker has obtained your password database and sets up an attack on its leisure against all stored hashes in order to determine what is the password corresponding to the hash. If each salt is different, the attacker must establish a new attack against each record in the database. If each salt is the same, then the attacking one user will attack each user.

In addition: suppose you use one salt for each user. Suppose two users have the same password. And suppose the attacker got a password database. Now the attacker knows which two users have the same password , because they have the same salty hash and can make a reasonable assumption that this is the weakest password in the database. An attacker can concentrate his efforts (no matter what may be) on an attack on this user in particular. And as soon as she finds out the user's password, the likelihood that the user used this username and a weak password for other systems can now harm an attacker without the presence of password files.

Good thing you want to know about security; it’s bad that you are trying to write a real password system with your level of understanding. If this is for a real system that should protect real users, use a system created by experts , or hire your own expert . You are going to create a system that cannot be broken, and not a system that an attacker cannot break.

In addition: you ask strangers on the Internet for help with security . Strangers who you have no idea whether they know what they are talking about, or just make themselves think. Get a real security expert (and it's not me - I'm an expert on semantic analyzers). Creating a security system is one of the most difficult programming tasks; you need professional help.

For a brief introduction to the basic password authentication schemes, see my series of articles:

http://blogs.msdn.com/b/ericlippert/archive/tags/salt/

+29
source share

You do not need to use random salt, but if your passwords will be more secure. Obviously, if you use a random salt, you need to save this with a hashed password in db so that you can verify it with the password provided.

A quick google revealed this post that may help you.

+1
source share

More articles:


All Articles