A salt is a bunch of extra bits, or a key that is added to a text BEFORE it is encrypted, making brute forcing ridiculously complicated. Say we were to add ¡°2254hah8f932h9h3fdksahfi32ukr342¡± to the users password during sign up, THEN encrypt/hash it and put it into the database.
To do this in php would resemble something like this.
<?php
// signup.php
$username = $_POST['username'];
$password = $_POST['password'];
$salt = ¡°1337securityteam¡±;
$password = md5($password . $salt);
// now you do your mysql database work here
?>
----------------------------------------------
Now say we were to input ¡°ABC¡± as our password, and submit it to a script that doesn't use salts.
md5(ABC) = 902fbdd2b1df0c4f70b4a5d23525e932
This would take almost no time at all to find with a bruteforcing application, rainbow table or online md5 database.
----------------------------------------------
Now say we were to input ¡°ABC¡± as our password, but this time to our newly made ¡°salted¡± script.
md5(ABC + 1337securityteam) = bf92df8551f9b55970f7aa2ee1292efa.
The chances of an online database, or bruteforcing program being able to find a match for ¡°ABC1337securityteam¡± are very low, and also improbable but not impossible with a large enough rainbow table
You can see already that this is a much stronger method, but not invincible. If a hacker was to break into your website, and find the key/salt ¡°1337securityteam¡±, he could easily modify his/her bruteforcer, or make a new rainbow table using the key/salt. Then all he would have to do is peer into your databases, and he would instantly be able to bruteforce all your users passwords.
Now for the ultra secure method. To eliminate the problem of the key/salt being found out, our script must generate a unique key for each sign-up, and then add that key to the database as part of the users information.
<?php
// signup_secure.php
$username = $_POST['username'];
$password = $_POST['password'];
$salt = md5(rand(1,5000) * rand(1,5000) * rand(1,5000)); // this will create some random, obscure number, the only reason we md5 it is to make a 16 character long key, that will be VERY hard to brute force. If you want to you could combine md5 hashes to make a very very very long key, but this will make the script less efficient.
$password = md5($password . $salt);
// now you do your mysql database work here
// this time, you will need to input into your database THREE values, Username, Password, and the randomly generated Salt
//
// ex. mysql_query(¡°INSERT INTO `userinfo` (`name`, `pass`, `salt`) VALUES ('$username', '$password', '$salt');
?>
Lets say we enter ¡°ABC¡± as our passsword again, but this time, the randomly made key/salt is added on.
$salt = md5(244 * 9 * 392); // say those are the numbers that came up using the rands.
That will lead to $salt = md5(860832);
Which will make a final key of ¡°2c06769787570f65ee46702c6492bebe¡±
Then our password is calculated as ¡°ABC + 2c06769787570f65ee46702c6492bebe¡±.
That will make our final, encrypted password = ¡°b941ba958ea3716f374c5f6a51c5be05¡±. I can tell you now, no database, or table will have ¡°b941ba958ea3716f374c5f6a51c5be05¡± in it, because they will probably not have ¡°ABC2c06769787570f65ee46702c6492bebe¡± as a possible word.
Now all thats left, is to insert the key into the database along with our new made password, and the user name.
All you have to do is when the user logs in, retrieve the salt from the database, add it to the password they typed in to log in, and you know the rest.....
If you can't get the code to work, or need some help, or even have some improvements to add, we would love to hear from you on the Static Chaos message boards.
discuss this topic to forum
