Home All Groups Group Topic Archive Search About

I'm not sure I get this 'salt' thing

microsoft.public.dotnet.security
Author
22 Jul 2005 4:16 PM
wolfing1
We all know storing a password straight up in the database is not good.
Anyone who gets access to the table can get the passwords there right?
So we encrypt the passwords and now they can't.
But they can have a list of encrypted passwords and do a dictionary
search, like if they know 'Banana' translates to '*#@(ASADSFAV#' they
could go and do a

Select * from users where password='*#@(ASADSFAV#'

This would give them the users that have 'Banana' as password, so this
is not cool.

Then, I read people say I could add a 'salt' value and encrypt the
password concatenated with the salt, and store the salt in the same
table?
This is what I don't get.  Can't I just do this to circumvent that?

Select * from users where password=f('Banana'+salt)???
Sure it could take a bit longer, but if the user DB is, say, 10000
records, it just adds like 5 seconds maybe.

So what's the big deal with 'salt'?

Author
22 Jul 2005 5:03 PM
Valery Pryamikov
Hi,
you may check this my blog post:
http://www.harper.no/valery/PermaLink,guid,ea26f2f0-31f7-4707-89eb-191940d5bf63.aspx

-Valery.
http://www.harper.no/valery

<wolfi***@yahoo.com> wrote in message
Show quoteHide quote
news:1122049006.225541.23800@o13g2000cwo.googlegroups.com...
> We all know storing a password straight up in the database is not good.
> Anyone who gets access to the table can get the passwords there right?
> So we encrypt the passwords and now they can't.
> But they can have a list of encrypted passwords and do a dictionary
> search, like if they know 'Banana' translates to '*#@(ASADSFAV#' they
> could go and do a
>
> Select * from users where password='*#@(ASADSFAV#'
>
> This would give them the users that have 'Banana' as password, so this
> is not cool.
>
> Then, I read people say I could add a 'salt' value and encrypt the
> password concatenated with the salt, and store the salt in the same
> table?
> This is what I don't get.  Can't I just do this to circumvent that?
>
> Select * from users where password=f('Banana'+salt)???
> Sure it could take a bit longer, but if the user DB is, say, 10000
> records, it just adds like 5 seconds maybe.
>
> So what's the big deal with 'salt'?
>



Post Other interesting topics
Import RSA parameters from .PEM format
CryptoAPI, System.Security.Cryptography Interoperability
.NET 2.0 Membership "role context"
Getting User Information from a SID
Authenticate User in Windows 2000 machine
LogonUser Succeeds - but fails later
Forms Authentication Not Redirecting To Login Page
IsInRole & SID/Token Caching in .NET v1.1
Cryptography implementation using memeorystream
Get an unauthenticated windowsIdentity?