To salt or not to salt

admin by admin in Blog

In common with many other systems, E107 currently stores passwords as an 'MD5 hash'.

In common with many other systems, E107 currently stores passwords as an 'MD5 hash'. This is a 'one-way' encoding which makes it difficult to recover the original password, or one which will also work. For many systems this is perfectly adequate.

Needless to say, if you can recover the 'hash', it is possible to 'crack' these passwords given enough time and computing power. You can use the 'dictionary' approach, which works if the user has chosen a normal word for their password. Or you can use 'rainbow tables' (http://en.wikipedia.org/wiki/Rainbow_tables) - in principle, for each possible hash value you precalculate a value which will work as a password. This is a one-off operation. Cracking passwords then becomes a simple matter of looking up the hash in the rainbow table - much faster than doing lots of calculations.

0.8 gives an option to improve security by using a 'salt'. This salt (which is a text string) is combined with the entered password prior to calculating the hash function. The salt is different for each user, and is 'public' information (in that it is stored 'in clear' in the database).

This makes password cracking, especially bulk password cracking, much harder, since its no longer possible to use a standard rainbow table. Its necessary to calculate the rainbow table for each password you want to crack, which greatly increases the computing effort needed. So still crackable, but much harder to do. So hopefully any hacker will go and annoy someone else.

Salted passwords aren't needed by everyone - they do complicate password management in a number of ways. The option is there if you need it.


Social Links