Using account names as salt

Question

Using account names as salt

So, I am creating a website for the game. Nothing will become popular: P

Now I'm thinking about password security, I'm going to use salting, but instead of adding a new column to the accounts table, I thought about using the account name as a salt, because it cannot be changed and is "unique". I mean, two users cannot have the same account name.

But I thought how safe it is, if you can say that someone has a banana account name. I mean, this word should be popular in these dictionary hackers.

Let's say that the banana account name and password are welcome (hashed with sha1), which would be pretty easy to cancel, am I right?

+3

cryptography salt

José Jan 6 '10 at 21:25

source share

6 answers

A hacker can find the vases in the rainbow table and find that it matches the Bananello input (given that the Bananello is already in the rainbow road tables). He can see that the username is “banana”, ergo is the password “hello”.

- HTTP- HA1 : sha1 ( . ). , ( "example.com" ), . benfit - , , , Basic .

+1

Remus Rusanu 06 . '10 21:33

. . - .

, , .

: , , . SHA1 ( "whooooohooomysiteisthebest_bananahello" ) .

0

Seva Alekseyev 06 . '10 21:29

, , .

0

Karmic Coder 06 . '10 21:29

, , - , . , . , .

0

Adam Crossland 06 . '10 21:32

. , , , " " .

Using public usernames, you removed the salt value, the only task would be to calculate the rainbow table for this known salt. Therefore, to answer your question, yes, your implementation will be easy (but maybe not fast) to cancel.

0

Matt garrison Jan 6 '10 at 21:51

source share

Noon silk · Accepted Answer · 2010-01-06T21:47:48+0000

No, you have to follow standard practice and generate a new unique salt for each user and just store it right next to other fields in the database, this is not difficult to do.

Using account names as salt

More articles: