The salt ensures that you have to brute force every single password individually (increasing the amount of computation required to find them all) because you have to include the salts. So if you have 20 users, you have to spend about 20 times more time computing hashes.
<br><br>It isn't much more secure. In fact I'd say this does nothing, if an attacker can retrieve the hashes, it is also likely he doesn't need them (bypass/change).<br><br>-Matt<br><br><div><span class="gmail_quote">
On 7/30/07, <b class="gmail_sendername">Reto Hugi</b> <<a href="mailto:plog@hugi.to">plog@hugi.to</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi List<br><br>I accidently read the release notes for the latest Joomla bugfix release<br>and stumbled upon an interesting note:<br><br>They changed the way they store user passwords to make them more secure<br>(they probably want to adress md5 weaknesses with rainbow tables).
<br>As we had once a vulnerability where the md5 hash of the admin password<br>was revealed due to an sql injection vulnerability I thought it would be<br>interesting to know more about the measures the joomla team took.<br>
<br>This is what they do:<br><br>// salt is a random 16 char string, no hardcoded secret used<br>$salt = mosMakePassword(16);<br><br>$crypt = md5($passwd.$salt);<br><br>// this will store the string in the database.<br>$row->password = $crypt.':'.$salt;
<br><br><br>Does anybody see where this could improve security? It hardly can<br>prevent attackers if an sql injection reveals the password because the<br>secret is included in the string after the colon, right?<br><br>Oh well, may one of you guys has an idea...
<br><br>cheers,<br>reto<br>_______________________________________________<br>pLog-svn mailing list<br><a href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</a><br><a href="http://limedaley.com/mailman/listinfo/plog-svn">
http://limedaley.com/mailman/listinfo/plog-svn</a><br></blockquote></div><br>