salt

In a Linux system, passwords are stored using an MD5 hash. Why can the usage of "salt" protect the system more? Particularly, I want to make clear the following two The salt is said to be stored in clear text with the hash, then how it can prevent the attacker when the attacker knows the salt value. (Attacker can be the system administrator himself who can check /etc/shadow . If the salt is generated randomly everytime, how can the system compare the hash to authenticate the user? For example, User A has user salt s1 and generate h1; h1 = md5(password.s1); . The next time, it uses salt s2 and

I am generating salt and hash values from my passwords by using, string salt = CreateSalt(TxtPassword.Text.Length); string hash = CreatePasswordHash(TxtPassword.Text, salt); private static string CreateSalt(int size) { //Generate a cryptographic random number. RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); byte[] buff = new byte[size]; rng.GetBytes(buff); // Return a Base64 string representation of the random number. return Convert.ToBase64String(buff); } private static string CreatePasswordHash(string pwd, string salt) { string saltAndPwd = String.Concat(pwd, salt); string

I am using Code Igniter for my current project. As of now, I am using MD5 for password hashing, but I have read at a lot of places, that it is not a good practice to do so. What should I go with? Using a salt Or should I use bcrypt Also, if bcrypt is recommended, then how to use it with Code Igniter? EDIT I have put these files in application/libraries PasswordHash.php c/Makefile c/crypt_private.c In my controller, I am using this code - $params = array( 'phpass_hash_strength' => 8, 'phpass_hash_portable' => FALSE ); $this->load->library('PasswordHash', $params); $password = $this-

I am fairly new to cryptography and I am using BouncyCasetle API to encrypt password and store it in the database. For encryption I am using SHA-1 algorithm and I want to salt the password to prevent it agains dictionary attacks. Any help would be appreciated. I'd recommend use of a Password-Based Key Derivation Function instead of a basic hash function for this. Something like this: // tuning parameters // these sizes are relatively arbitrary int seedBytes = 20; int hashBytes = 20; // increase iterations as high as your performance can tolerate // since this increases computational cost of

Here's the function I'm using to generate random salts: function generateRandomString($nbLetters){ $randString=""; $charUniverse="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; for($i=0; $i<$nbLetters; $i++){ $randInt=rand(0,61); $randChar=$charUniverse[$randInt]; $randString=$randomString.$randChar; } return $randomString; } This is for a non commercial website. It's only used to generate the salt (to be stored in the db and used along with the user submitted pw for hashing). Is this appropriate? Should I use a larger subset of characters, and if so is there an easy way to

I am going through various password hashing techniques and I found a tutorial which left me a bit dubious about some points. In particular, I just would like if you could reconfirm/explain a few things.For example i found the following function. Now if I understand well what this is doing, it's generating a salt which in case with the following values: $salt = sprintf("$2a$%02d$", $cost) . $salt; // if $cost = 10 and $salt 234, then it should output $2a$1002d$234? Secondly, the example for authentication uses the following comparison: if ( crypt($password, $user->hash) === $user->hash ) and it

I stumbled across BCrypt.net after reading Jeff Atwood's post about storing passwords which led me to Thomas Ptacek's recommendation to use BCrypt to store passwords. Which finally led me to this C# implementation of BCrypt In the comments on the last link above someone asked "Why do GenerateSalt(30) take for ever, but GenerateSalt(31) seems to take no time at all?" I ran BCrypt.HashPassword(password, BCrypt.GenerateSalt(31)) and got my result in 0 milliseconds. I've been running BCrypt.HashPassword("password", BCrypt.GenerateSalt(30)) for over 5 minutes now and still do not have a result. I

I'm using a website as a frontend and all users are authenticated with the standard ASP.NET Membership-Provider. Passwords are saved "hashed" within a SQL-Database. Now I want to write a desktop-client with administrative functions. Among other things there should be a method to reset a users password. I can access the database with the saved membership-data, but how can I manually create the password-salt and -hash? Using the System.Web.Membership Namespace seems to be inappropriate so I need to know how to create the salt and hash of the new password manually. Experts step up! :) You can