protect hash code? [closed]

Question

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.

Closed 9 years ago.

I'm sure there's something fundamental to all of this that simplifies the whole concept that I'm missing, but here goes:

OK, you salt & hash passwords for security, but what about the code that does it?

If you're on a host or vps, can't "someone" get ahold of your source b/c you compiled it there? Or, if they can access your database, can't they access the program that does the encryption/decryption and bruteforce it until they get the algorithm?

I know nothing can ever be 100% secure, but how can security be improved in this context?

Answer 1

Salting will protect the data somewhat from a dictionary or rainbow table attack in the case that your data was compromised. Brute force is not impossible, but will be slow and will need to be performed again for each password hash. If salting was not done, brute force attacks become much easier to attain.

Contrary to what some say, the salt is not protected in any special way (nor does it need to be), but is present in plain text as appended to the hash. It does however, need to be unique for each hash or it becomes pointless for this use. This is in contrast to a pepper that is used for all hashes and must be protected. Because of this distinction, salting is generally preferred unless access to the pepper is guaranteed to be restricted (not an easy task).

If you want improved security, don't use a shared host. And don't allow direct access to the database. And don't allow anyone that hasn't been prescreened to access your system. In a practical sense, these aren't always viable options. So just use a salt and live with it :)

Answer 2

There's nothing "hidden" in your source code regarding the hash algorithm. In fact, you should be using a proven, well-known implementation of a strong hash and not implementing the algorithm yourself.

The salt is the part that needs to be protected. That salt is not part of your code (or should not be) but rather should be stored in some sort of file storage / data base (depending on your application), and should be applied on a per-user bases (user Joe should have a different salt for his password than user Fred).

To be sure, it is critically important to protect the salt used with each user's password. That's where proper file system / database permissions come into play.

On another note, your code should also be protected from any unauthorized user as well, but not for the reason of protecting the salt (at least not directly... if someone can access the salt, or just replace your code with their own, entirely bypassing the authentication check).