Comments on: MD5 Hashing and Salt

By: JuanJose

JuanJose — Mon, 26 Jul 2010 20:41:15 +0000

The problem with your assumption here is that you believe the salt would ever become available to you – just because you select a ‘remember me’ option does not mean we would ever store any sensitive data in a cookie. More likely I would send a session ID and a randomly generated auth code, which will get matched against various variables when attempting to validate your cookie.

So really, I don’t see a site wise salt as a bad idea, so long as we never send sensitive information (which we never should!).

By: austin

austin — Mon, 26 Jul 2010 18:19:08 +0000

site wise salt is a bad idea…
suppose im registered at site a, i know my pass and my pass+salt is stored in my cookies (if i said remember me) so i check an md5 of my pass and see it doesnt match, i determine its using a salt, so i use my known pass and a rainbow table to brute force the salt. now i have to know in advance that all users will have that salt…or i can just guess well. and when i get someone elses digest i can use the known salt and a rainbow table and brute force the pass.
this is also true if the algorithm for making the salted md5 is known and the database in compromised such that i have access to the information used, i can then brute force just the same as if there WAS no salt.

By: Ashutosh Grewal

Ashutosh Grewal — Sat, 20 Feb 2010 08:54:19 +0000

That was good! :)