Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#8 Salt for encryption

open
nobody
None
1
2014-08-22
2005-11-23
Stefan Hojer
No

May it be possible to add a salt-field for encrypted
passwords?

This adds a bit more security. Especially in the aspect
of rainbow-tree calculations on md5/sha1 sums. (see
google: "rainbowcrack")

The authentication would work as:

validUser = passwordfield == md5('<salt><pass>');

The salt should either be read from a database field in
a per-user-basis, or be a static one.

Another solution would be to allow a explicit
"printf"-type argument to pam-config which inserts the
typed password in an config-defined sql-clause that
evaluates to a boolean value.

regards,
Stefan Hojer

Discussion

  • (C)0||3N
    (C)0||3N
    2008-08-28

    • priority: 5 --> 1
     

  • Anonymous
    2010-09-20

    Actually, it would be good if it was possible to specify a salting format - for example, I can think of at least one salting scheme that stores a per-user salt in the database and then hashes the password as md5(md5(<salt>)md5(<pass>)) - that is, it hashes both the salt and the password before concatenating them and hashing the result. I have also come across a scheme that concatenates the plain salt and the hashed password before doing the final hash.

    Basically, a way of specifying a salt column and how that salt is to be applied would be great.