This is a blog post responding to another blog post. The first one recommended using HMAC in a place where it is totally appropriate to use HMAC. The response seems to miss that point.
That first blog post recommended using HMAC for communicating between applications, but then he said that he uses and recommends HMAC to store passwords in his database as well. I think that's what this post is responding to.
PBKDF2 uses HMAC. What's the issue here? A PRF seems the right tool for this particular problem, and HMAC happens to be a PRF that has well understood properties.
Question:
All of these discussions are based on the hacker having access to your database. If you really don't trust your hosting company not to leak your database details, why do you trust them not to overwrite your administrative password with an appropriately salted bcrypt/whatever hash?
There is a difference between being able to dump tables and being able to alter tables. Generally a lot of people have read access to the database, very little have full write access.
The same goes with hacks. It's easier to get unauthorized read access than unauthorized write access.
1. Most users use the same email/userid and same password across variety of sites. A compromise of your site should not automatically compromise all other sites.
2. Backups have tendency to leak more so than the server security itself.
So, if you have a hash, and your salt gets compromised, is there a way to re-salt without losing all old passwords? I'm thinking specifically of frameworks like rails where you can have hashes applied auto-magically.
A "salt", unlike most uses of a nonce, doesn't derive its benefits from secrecy. The only* benefit of the "salt" is essentially to prevent birthday attacks on your password database, since any attacker with the passwords probably also has the salts.
*-Not strictly true. If a user is rotating through a sequence of passwords, changing the salt will obscure that.
In "olden times" (I guess around the fourth empire), common wisdom was to hash like this:
salt = getLongRandomString(); hash = sha256(salt+password); save_in_db = salt+"$"+hash
Thus, while you don't publish them, salts aren't "secret". That's based on the assumption that a cracker would have to bruteforce each password in turn, and that takes too much time.
But no, you can't re-hash with a new salt without access to the plain-text password. If you could, so could the bad guy :)
Disclaimer: IANAC, and if I were building security for mission critical stuff, I'd ask someone who was.
You could probably write something to expire the salt and next time that user logs in providing their plain text password a new salt could be generated and a new hash could be saved.
The author admits to having little math ability and makes cryptographic recommendations anyway? Cryptography is math. If you don't know math, you don't know cryptography.
The author is arguing that it is good enough, and going any farther is unnecessary complicated. However, the use of a static salt or modifier, in this case "foo" does not change much if anything to the attacker. All portions of the salt should be random based on the user or account, so that for each individual account, an entire rainbow table would have to be created, which even with distributed cloud computing would be too expensive.
There was an article linked a while ago that plotted prices to crack common hashes using Amazon's cloud, and even for 8 length alphanumeric + symbol it was over $50,000 of estimated computing, adding a significant unique salt (username in this case) would make it unjustifiable from a monetary point of view.
[+] [-] justin_vanw|16 years ago|reply
To store passwords in a database the 'proper hash' to use is openbsd's bcrypt. http://www.openbsd.org/papers/bcrypt-paper.ps
[+] [-] travisp|16 years ago|reply
[+] [-] fexl|16 years ago|reply
[+] [-] cynicalkane|16 years ago|reply
[+] [-] cperciva|16 years ago|reply
[+] [-] randombit|16 years ago|reply
[+] [-] oconnore|16 years ago|reply
[+] [-] shin_lao|16 years ago|reply
The same goes with hacks. It's easier to get unauthorized read access than unauthorized write access.
[+] [-] DenisM|16 years ago|reply
2. Backups have tendency to leak more so than the server security itself.
[+] [-] ErrantX|16 years ago|reply
That is not the case this protects against
[+] [-] danskil|16 years ago|reply
[+] [-] amalcon|16 years ago|reply
*-Not strictly true. If a user is rotating through a sequence of passwords, changing the salt will obscure that.
[+] [-] mseebach|16 years ago|reply
salt = getLongRandomString(); hash = sha256(salt+password); save_in_db = salt+"$"+hash
Thus, while you don't publish them, salts aren't "secret". That's based on the assumption that a cracker would have to bruteforce each password in turn, and that takes too much time.
But no, you can't re-hash with a new salt without access to the plain-text password. If you could, so could the bad guy :)
Disclaimer: IANAC, and if I were building security for mission critical stuff, I'd ask someone who was.
[+] [-] wizard_2|16 years ago|reply
[+] [-] DanielStraight|16 years ago|reply
[+] [-] judofyr|16 years ago|reply
[+] [-] ElbertF|16 years ago|reply
[+] [-] enntwo|16 years ago|reply
There was an article linked a while ago that plotted prices to crack common hashes using Amazon's cloud, and even for 8 length alphanumeric + symbol it was over $50,000 of estimated computing, adding a significant unique salt (username in this case) would make it unjustifiable from a monetary point of view.