SALT + Hash ??

P

P00HB33R

Senior Member
Joined
Jul 15, 2010
Messages
706
Reaction score
29
Location
Eloff
Hi Guys,

lets say I hash a users password (no salt), then selecting every fourth character in the resulting hash, and use that as a SALT that I add to the original password and hash the resulting string (password + generated salt)

Would this be considered safe use of Hash & salt?

I have also added a random generated number that is used to re-hash the stored hash which is then compared to the login details supplied by the user. The random number is sms'ed to the client and he has to enter it on the login screen.

Would this further secure the application?

Any suggestions on making the app safer would be appreciated.
 
Please explain in detail what you are trying to do, then I can apply my mind to it. Pseudocode would also be nice...
 
Wow, I was confused when I saw this post come up on my what's new list.
Misleading title.
 
Electric said:
Wow, I was confused when I saw this post come up on my what's new list.
Misleading title.
Click to expand...

LOL yeah, something totally different when I actually read the post.

Misleading but its getting viewers because of one word... Hash.
 
Had a bloddy good laugh when I realised what the title looked like. Bwhahahaha. Will post the full details of what i'd like to achive. But the short of it is to hash a pre-hashed password with n random number that is sms'ed to the user. Just to add extra layer of security.
 
Ok lemme get this right.

You want to hash a password that has already been hashed yes?

Or what do you mean with "pre-hashed"?
 
CamiKaze said:
Why don't you just use sha256 encryption?
Click to expand...

SHA256 is not an encryption scheme, but is a pretty good hashing algorithm.

To OP:

What you are suggesting is security through obscurity and it is best to rather stay with the tried and proven approaches. Salting is not intended to increase the complexity of the hashing algorithm, but rather ensure that each value stored in the database is unique.

The approach described is counter productive, in it is ineffective as a salt. Two users with the same password --> same initial hash --> same derived salt --> same resulting hash.

5000 or more iterations of SHA256 is really good at preventing offline brute force attempts, especially if you use a random salt. The salt can be stored in clear-text in the DB, next to the password. The security is not in the salt, but rather the hashing algorithm.

As for the OTP, just use the same hashing algorithm as for the password. Don't make it obscure and hard to maintain, adding another 256 bit column to the DB really not a massive overhead
 
Last edited:
So basicaaly I am trying to get a way to avoid storing the SALT in a database. Thats why I try to generate a SALT from the password hash. Bare in mind that the hash that I use to get the SALT from is generated using the password & username which will be unique across the whole user database each time, as duplicate usernames are not permitted.
 
Im using the MD5 hash scheme (yes I know its not that great but this is just for testing purposes)

Ok so im gonna drop this whole whacky idea of mine. Ill do it the old fashioned way. Maybe just sms the client a random 4 digit number to enter at login which is compared to the generated number. And then just compare the stored hash with the users entered password hash.

Thanks for everyones' input
 
For those who aren't sure why you need to salt & hash passwords, this video is offers a very good explanation:

[video=youtube;8ZtInClXe1Q]https://www.youtube.com/watch?v=8ZtInClXe1Q[/video]
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X