salt

I have been trying for several days to decrypt in java a message encrypted with openssl. The message was encrypted with the following command: openssl enc -e -aes-256-cbc -kfile $ file.key -in toto -out toto.enc. The file file.key contains the symmetric key of 256 bits. No salt has been specified in the command and yet the file begins with Salted__. Here is the class that I coded to try to decrypt the file but impossible to get anything even by removing the 16 characters of the file namely the: Salted__ + the salt encrypted. I understood that openssl did it by default. When I try to decipher,

I have just read many, many articles on SO about hashing passwords with salt but I just cannot find an answer to the particular query/confusion I have. Let's say I have just done this method for adding a password and salt to the DB: Create a random salt Hash the users password + salt together Store the hash output as the password in column 'password' Store the random salt in column 'salt' If this is correct, what happens when an attacker gets access to my DB? Surely if they can read what the salt value is for that hashed password, they can work out what the hashed password is without the salt

I'm reading so much conflicting advice as to how to store passwords securely. All I know for sure is not to use MD5! I've seen people advocate using PHP's bcrypt function, which seems like it'd hog the server's processor. I've seen advocates for salts, and advocates for not using salts. It's all just so unclear. Is there real and credible advice as to how to store passwords securely? Edit: After a fair amount of research, I found an article from ;login: that deals with the topic in quite some depth: http://www.usenix.org/publications/login/2004-06/pdfs/alexander.pdf Well, there is several

I'm trying to generate a salt in Java to use with a hashing algorithm for secure password storage. I'm using the following code to create the random salt: private static String getSalt() throws NoSuchAlgorithmException { SecureRandom sr = SecureRandom.getInstance("SHA1PRNG"); byte[] salt = new byte[16]; sr.nextBytes(salt); System.out.println(salt.toString()); return salt.toString(); } Which should generate a completely secure, randomly generated salt to use in my hashing algorithm. When I run the code however, it keeps outputting the same salt every time... Indicating that the salt being

With all the recent (e.g. LinkedIn) discussions of passwords I'm looking at password hashing implementations. After two cups of coffee and a morning reading I'm no more a cryptographer than when I started. And I really don't want to pretend that I am. Specific Questions Does using a integer unique user ID fail as an effective salt? (crypt() uses only 16 bits?) If I simply run sha256() on a hash over and over until a second is used up does that defeat the brute-force attacks? If I have to ask these questions should I be using bcrypt? Discussion/Explanation: The goal is simply if my user's

It keeps running in my mind the last couple of days, but I read some articles about how to make your PHP sessions more secure. Almost all of these articles say that you need to save the useragent in the session WITH an additional salt. Something like this: $fingerprint = md5('SECRET-SALT'.$_SERVER['HTTP_USER_AGENT']); The salt would make it harder for an attacker to hijack or whatever the session. But WHY add a salt every time you would check it like this: md5('SECRET-SALT'.$_SERVER['HTTP_USER_AGENT']) == $_SESSION [ 'fingerprint' ] So WHY would a salt make it more secure, since the attacker