Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5

Thread: salt reminder

  1. #1
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts

    salt reminder

    I currently use salt for my md5 encrypted passwords. (thanks Fish).

    I want to move on to variable salt encryption where each pwd has a different, random salt but my aim of retaining that knowledge until I was ready for this step, has failed.

    my question is, will the salt always be the same length after hashing, so it won't matter when it comes to splitting off the salt for comparison with the pwd? Or should I always ensure the salt is of a given length, pre-encryption?

    I am trying to work out how - if it is that consistent, that it won't easily be cracked.
    Code:
     if ($encrypted_pass && $login{'username'} eq "$user_name") {
          my $salt = substr($encrypted_pass, 3,8);
        my $password = unix_md5_crypt( $login{'password'}, $salt );
    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • #2
    Super Moderator
    Join Date
    May 2005
    Location
    Southern tip of Silicon Valley
    Posts
    2,839
    Thanks
    2
    Thanked 160 Times in 155 Posts
    The length of the salt value should remain constant. However, as long as it isn't being used by the system (such as in the /etc/passwd file) then it could vary in length, but that just complicates the authentication process in your script, so why would you want to do that?

    The salt value is only one part of the authentication process. The most important part in adverting the password being cracked is to make sure that users use a good password that is at the very least 6 characters and is not simply based on a dictionary word or number. I've seen users using 1234 as a password. That can be cracked in a fraction of a second.

    FYI,
    The password encryption that I showed you in previous threads can be used to generate *nix login passwords which are more secure than Windows passwords. When authenticating *nix login passwords, then you should look at using PAM authentication.

    Authen::PAM - Perl interface to PAM library
    http://search.cpan.org/~nikip/Authen-PAM-0.16/d/PAM.pm
    Last edited by FishMonger; 11-16-2009 at 04:36 AM.

  • #3
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    Thanks FishMonger.

    I am confused over the difference between a *nix password and a windows password. I always thought the password was just a password and should be encrypted with something like MD5.

    Any chance there is a tutorial you know of that explains the difference/significance of the difference.

    Is there anything wrong with storing the encrypted password in a mysql db? what is the difference between the two methods - MySQL or the unix file(passwd).

    bazz
    Last edited by bazz; 11-16-2009 at 05:51 AM.
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • #4
    Super Moderator
    Join Date
    May 2005
    Location
    Southern tip of Silicon Valley
    Posts
    2,839
    Thanks
    2
    Thanked 160 Times in 155 Posts
    Hmm, I guess I did a good job of confusing the issue.

    I'll try to keep this explanation to minimum and at a high level.

    First and most important is that you're authenticating users at the application level and those user accounts have no relation to the user accounts on the system. So you are completely free to use any type of password policies and authentication procedures that you wish and storing that account info in a database is the most appropriate choice.

    Windows uses a completely different encryption algorithm and authentication process than UNIX/Linux systems. So if you ever do need to authenticate a system user account, you'll need to use the authentication process used on that platform.

    I have several scripts that combine the system and application level authentication. Meaning that in order to use the application, the user must have a valid user account at the OS level.

  • #5
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    Yeh, a penny dropped with me a few minutes ago and I came back up to the PC to post again.

    I confused myself by mixing up the issues of server authentication and passwording my cms. None of my clients will have direct server access. Instead they will be able to manage their web content via the cms. so I hold a value in the db which is an MD5 encrypted pwd and they have to enter a password which the script (you helped me with), md5's to try to match it with that held in the db.

    In order to prevent cracking of these passwords, should I ensure they are changed monthly for example? And is there any improvement in value by md5-ing the pwd twice or some other 'belt and braces' notion I can come up with?

    Thanks for your non-confusing help

    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •