Salted hash - Storing Salt In password or a seperate field [modified]

DotNetWWW

Hi all , As you know , when implementing salted hash technique , we go through the following steps: 1)Generate a random salt using classes in Cryptography namespace. 2)Get Password 3)combine password and salt and hash it 4)Storing the salt in a field called SALT. 5)Storing the hashed value in a field Called Password Also we have a field called Username. When Authenticating , we follow these steps: 1)Get Username 2)Get Password 3)Combine entered password with salt in database 4)Hash it and then compare it to Password 5)If both matches , the user is valid. My question is that is it possible to Store salt inside password field instead of creating a seperate field for salt?So if attcker breaks into DB , he cannot extract the salt value and will not know what salt is. And another question is that is it a good idea to also Salt-Hash username?If yes , how do you implement this? Note that I use a uniqe salt for each password. Thanks in advance.

modified on Thursday, September 18, 2008 12:49 PM

N a v a n e e t h · modified on Thursday, September 18, 2008 12:49 PM

DotNetWWW wrote:

that is it possible to Store salt inside password field instead of creating a seperate field for salt?

Yes. That's a good method. Steps could be, 1 - Generate random salt 2 - Append salt with the plain text and calculate hash 3 - Append salt bytes with the hashed bytes and return base64 string. For verifying you can follow, 1 - Get the hash bytes from base64 string. 2 - Extract original salt from the byte array. Usually hash algorithm will have a predefined hash size. MD5 uses 128 bit hashing. 3 - Calculate hash again with the plain text and extracted salt. 4 - Verify the newly created hash and the original one.

DotNetWWW wrote:

is that is it a good idea to also Salt-Hash username

I think it is not necessary.

All C# applications should call Application.Quit(); in the beginning to avoid any .NET problems.- Unclyclopedia How to use google | Ask smart questions

Paul Conrad

N a v a n e e t h wrote:

DotNetWWW wrote: is that is it a good idea to also Salt-Hash username I think it is not necessary.

I agree. No real point in doing that, unless he wants to make the username unreadable and that may backfire on him.

"The clue train passed his station without stopping." - John Simmons / outlaw programmer "Real programmers just throw a bunch of 1s and 0s at the computer to see what sticks" - Pete O'Hanlon "Not only do you continue to babble nonsense, you can't even correctly remember the nonsense you babbled just minutes ago." - Rob Graham

Paul Conrad · modified on Thursday, September 18, 2008 12:49 PM

DotNetWWW wrote:

is it a good idea to also Salt-Hash username?

Not really because a one way hash will make it difficult to retrieve a lost username. If a hacker gets into your database and sees the usernames, they really don't help him/her at all when the passwords are hashed.

"The clue train passed his station without stopping." - John Simmons / outlaw programmer "Real programmers just throw a bunch of 1s and 0s at the computer to see what sticks" - Pete O'Hanlon "Not only do you continue to babble nonsense, you can't even correctly remember the nonsense you babbled just minutes ago." - Rob Graham

DotNetWWW

Thanks for your answers. Isn't is useful to salt-hash username?In that case attacker can not understand which record corresponds to which user. Doesn't it make the job harder for attacker? Another point is that we implement all algorithms for hashing and also combining password and salt in code , as you know , .Net code is easily decompiled and in case of using a protector like XenoCode , It is still possible to access program code , so If attacker can read code , he will understand everything about algorithm and the way we combine password and salt , what is your suggestion?

Guffa · modified on Thursday, September 18, 2008 12:49 PM

DotNetWWW wrote:

My question is that is it possible to Store salt inside password field instead of creating a seperate field for salt?So if attcker breaks into DB , he cannot extract the salt value and will not know what salt is.

No. You need to get the salt value when you verify a password that the user enters. You could scramble the salt in some way to make it harder to use, but that is just security by obfuscation so it doesn't add any real strength to the security.

DotNetWWW wrote:

And another question is that is it a good idea to also Salt-Hash username?

No. What would be the point of protecting the user names? They can be seen in plain text on the screen when a user types it in... Generally user names are not encrypted, as they are so easy to guess or intercept anyway.

Despite everything, the person most likely to be fooling you next is yourself.

N a v a n e e t h

DotNetWWW wrote:

so If attacker can read code , he will understand everything about algorithm and the way we combine password and salt , what is your suggestion?

Attacker can read the algorithm, but since you are using random salt, it is tough hack into some account. But if he is getting the code, chance for attacking is high. You could change the design probably.

All C# applications should call Application.Quit(); in the beginning to avoid any .NET problems.- Unclyclopedia How to use google | Ask smart questions