All geek questions in one place

Trying to understand salting and hashing passwords in Ruby on Rails

I go through Michael Hartlโ€™s book (a terrific, free resource, by the way, thanks to Michael!), And I have a question about salt and password hashing. The point of stuffing the password is that the hacker does not perform a rainbow attack, which, if I understand correctly, is basically a brute force attack, if the hacker can guess the type of encryption used. To prevent such an attack, the salt is used to randomize the password before encrypting it, but should this salt be stored with the encrypted password? If so, then if the hacker can access the database and get the encrypted password, can they also get the salt and continue their rainbow attack?

Here's an example Michael process code ...

>> Time.now.utc => Fri Jan 29 18:11:27 UTC 2010 >> password = "secret" => "secret" >> salt = secure_hash("#{Time.now.utc}--#{password}") => "d1a3eb8c9aab32ec19cfda810d2ab351873b5dca4e16e7f57b3c1932113314c8" >> encrypted_password = secure_hash("#{salt}--#{password}") => "69a98a49b7fd103058639be84fb88c19c998c8ad3639cfc5deb458018561c847"

Thank you very much!

+4
source share
1 answer

No, the rainbow attack does not match the brute force attack.

You can imagine the rainbow table as a large database of strings and their hashes. When someone gets access to your database, they can compare passwords with those in the rainbow table and itโ€™s easy to get a password.

Salt prevents this by adding extra bits to the password. If the salt is long enough, the hash will not be in the rainbow table.

When using brute force attacks, you must calculate the hashes, and with the help of rainbow attacks, you already have the hashes.

So, when someone gets access to your database, they can also get your salt. But it does not matter if it is unique to each record.

+9
source

Source: https://habr.com/ru/post/1342553/

More articles:


All Articles