Why should't I use an encryption salt I enter myself and use a function to randomize a salt for me?
https://stackoverflow.com/questions/8393169
-
28-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am just typing a salt and on php documentations, people always use some random variable function. What is the disadvantage of typing a salt instead of generating it?
Solution
The point of salt is to add entropy to the hash. Cryptographic hashes are designed so that a tiny change to the input makes a huge difference in the resulting hash, so (barring a flaw in the algorithm) it becomes impossible to know whether the original input was the same from checking the similarity between two differently salted hashes.
But if you use the same salt for everyone, you lose much of the benefit that provides. Two identical passwords hashed with the same salt will give you the same hash.
If you use the same salt for everyone, then at the very least, someone can figure out that two users have the same password.
More importantly, it greatly lessens the time someone has to spend to crack passwords, since they can now check the same hash against every user at once.
At worst, someone could already have a lookup table for the salt you use, making it trivial to crack every user's password.
While it's possible to use a simple salt (like the user's ID) to achieve the goal of making cracking harder, it's only a tiny bit more effort to use a random string, and makes cracking even harder (since the salt is nearly impossible to predict ahead of time, the chance of having a precomputed lookup table for that salt becomes much lower).
OTHER TIPS
Why force your users to type something?
Randomly generated bytes will have much more entropy that user input (which is typically only alphanumeric ASCII).
