Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61887 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 46923 invoked from network); 31 Jul 2012 12:02:53 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Jul 2012 12:02:53 -0000 Authentication-Results: pb1.pair.com smtp.mail=jbondc@openmv.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=jbondc@openmv.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain openmv.com from 64.15.152.204 cause and error) X-PHP-List-Original-Sender: jbondc@openmv.com X-Host-Fingerprint: 64.15.152.204 mail.ca.gdesolutions.com Received: from [64.15.152.204] ([64.15.152.204:57006] helo=mail.ca.gdesolutions.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AD/BA-00342-969C7105 for ; Tue, 31 Jul 2012 08:02:52 -0400 Received: from localhost (localhost [127.0.0.1]) by mail.ca.gdesolutions.com (Postfix) with ESMTP id 2D1845DB5; Tue, 31 Jul 2012 08:02:47 -0400 (EDT) X-Virus-Scanned: amavisd-new at gdesolutions.com Received: from mail.ca.gdesolutions.com ([127.0.0.1]) by localhost (mail.ca.gdesolutions.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PC+XTjRBVAcj; Tue, 31 Jul 2012 08:02:41 -0400 (EDT) Received: from djbondc (modemcable166.116-70-69.static.videotron.ca [69.70.116.166]) by mail.ca.gdesolutions.com (Postfix) with ESMTPSA id 91C845DAF; Tue, 31 Jul 2012 08:02:41 -0400 (EDT) To: "'Arvids Godjuks'" , "'Anthony Ferrara'" Cc: References: In-Reply-To: Date: Tue, 31 Jul 2012 08:02:39 -0400 Message-ID: <004a01cd6f14$62247d40$266d77c0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac1UgpcIVzB38t0JTHWd9zyeyFiVEQAAa5Yw Content-Language: en-ca Subject: RE: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: jbondc@openmv.com ("Jonathan Bond-Caron") On Wed Jun 27 12:32 PM, Arvids Godjuks wrote: > because at the moment i do not understand how salt stored in the hash = itself makes hash more=20 > secure than an unsalted one. a) In terms of 'effort' to break many passwords, there's a benefit to = the salt stored in the hash itself. It's not 'more secure' but 'better/recommended' since the attacker would = need to create a 'rainbow table' for each password it's trying to crack=20 Overall, the technique offers better protection. b) In terms of 'effort' to break a single password, there's **no** = benefit to the salt stored in the hash itself. If you want a single password to be really secure, don't let the = attacker know the salt and keep it long: // no benefit of short salt, ~ same effort required by the attacker $password =3D '234'; md5($password); $salt =3D '1'; $password =3D '234'; md5($salt . $password); c) The best of both worlds: long private salt (b) + different for every = user (a)=20 $saltInpassword =3D $password[0]; // could be random bytes, stored in = password like crypt() does $salt =3D 'my-long-private-value-use-all-bytes'. $saltInPassword; $password =3D '234'; $hash =3D md5($salt . $password); This one requires more effort by the attacker since the long salt forces = more 'bits/guesses' to pass into md5() // require even more effort, iterate for($i =3D 0; $i < 1000; $i++) $hash =3D md5($i . $hash);