Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60835 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24372 invoked from network); 14 Jun 2012 16:33:39 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Jun 2012 16:33:39 -0000 Authentication-Results: pb1.pair.com smtp.mail=peter.e.lind@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=peter.e.lind@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender) X-PHP-List-Original-Sender: peter.e.lind@gmail.com X-Host-Fingerprint: 209.85.214.170 mail-ob0-f170.google.com Received: from [209.85.214.170] ([209.85.214.170:63758] helo=mail-ob0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BD/8E-39100-3621ADF4 for ; Thu, 14 Jun 2012 12:33:39 -0400 Received: by obbuo13 with SMTP id uo13so3076400obb.29 for ; Thu, 14 Jun 2012 09:33:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=XGc71phe0O5UdfrknYJ+39JxxfVc/fCTd7mHjFNetkA=; b=BV2dRFAQA9ZLujQIa93R19OkAuJJvxf4z23QgGIr9OCUQdjAgNTRkQ7rE7x1oFzBSc QzGDFYhw/7KMsIJUblEzpONhvOk+g6LDt7LzQAIXNpLf/LqsHEmdI7nMXwZV/juznt5Y NCwMyQN7GBXHEyvyvlyfNmTNi8wrqPNFH7dr8IgKtngdrM/MSl4DWG6/+ZetRjuPPxU7 YewOuxacb/ty9Y4vv8c7/FJa8cyObVXOwb3pHuqezAa8XWFMTbwoztAAfxVbkCqFKyve 3GJZWVX4jXokk70S+LCrx/8qr1SNxsd0GEc4wvBNtr4fjILfhMXxGVdfAU0Vsci9MTfU OrOQ== Received: by 10.182.31.11 with SMTP id w11mr2487935obh.64.1339691616124; Thu, 14 Jun 2012 09:33:36 -0700 (PDT) MIME-Version: 1.0 Received: by 10.76.27.169 with HTTP; Thu, 14 Jun 2012 09:33:15 -0700 (PDT) In-Reply-To: <4FDA083F.6070602@gmail.com> References: <4FDA083F.6070602@gmail.com> Date: Thu, 14 Jun 2012 18:33:15 +0200 Message-ID: To: =?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?= Cc: PHP internals Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Adding a simple API for secure password hashing? From: peter.e.lind@gmail.com (Peter Lind) On 14 June 2012 17:50, =C3=81ngel Gonz=C3=A1lez wrote: *snip* > May I ask how would you end up at the situation where the attackers have > the password hashes but not the salt? > > Any process which needs to read the password hashes will also need > knowledge of the salt. Thus an attacker would most likely also know both. > That's precisely how salts are designed to work. If your salts are not stored with your password hashes, then an sql injection that would leak your password hashes would not leak the salts. The recent database leaks come to mind: had they only contained password hashes but no salts (I know the hashes were unsalted, but *had* they been salted ...) attackers would have faced an impossible task trying to bruteforce even just one hash. Otherwise, you'd be able to focus on a given account (an admin account comes to mind) and spend all your efforts on that using the typical options. As pointed out once or twice, for most people/purposes, it's a theoretical discussion. That doesn't mean it shouldn't be taken into consideration though (people rarely break into your house where you expect them to). > I admit you could have a common salt for all users stored in php and > only a leak of the database. But such salt would most likely be provided > by the user, generated using a different program... expected to be secure= . > Using a shared salt is worse than a uniqe salt per user, so that's not > something to promote either. > You wouldn't be "educating in the right way". And I'm obviously not advocating a shared salt (at least, I wasn't thinking I was, especially seeing as I asked for a parameter in function to make sure that salts would be more random). Regards Peter --=20 WWW: plphp.dk / plind.dk LinkedIn: plind BeWelcome/Couchsurfing: Fake51 Twitter: kafe15