Salted Password Hashing - Doing it Right

Hi, This I understand. What I mean is this: If each salt is unique, your passwords will never match as between generation and comparison, they will have to be different! In very simplified pseudocode: Making the salted password

$salt = generateRandomSalt();
//The function returned 159
$pwd = md5('password');
//$pwd = 12345678901234567890123456789012
writeToDb($salt + $pwd);

Checking the salted password:

$salt = generateRandomSalt();
//This time the function returned 246
$pwd = md5('password');
//$pwd = 12345678901234567890123456789012

//compare
//12312345678901234567890123456789012 and
//24612345678901234567890123456789012
//Not looking good...

if(($salt + $pwd) == getStoredPasswordFromDB()) then
win();
else
fail();
endif

As the generated salt will always be random, the salt will always be different for each call, so... if both passwords are different, how do you validate it? In this example with a random salt, the checking condition will always fail, and if you store the salt (or even store the method of generating a unique salt per user), then you are pwned just as bad, it will just take some extra time to reverse engineer the login system, and from there, back to some form of rainbow tables once the salt part is understood and removed. Can someone light my candle here? My area of expertise is PHP along with Classic VB & VBA, so a .NET library is not much use, but really, it's the idea of just how this really works, as I am already sold on the need of such a system! Cheers!

Hold on: To create : Take a random salt + password and hash. OK I understand. To validate : Take the random salt + password and hash and check against the stored. This does not compute... There are 2 random salts here... so 2 different hashes? Unless the salts are stored... and if your system has been pwned, your salt is pwned too.... And so back to square one...

Linked list : Hold your horses, this is how the Microsoft FAT works unless my alcohol addled brain is playing games. Patent number 5,579,517, issued in 1996... and successfully challenged and cancelled in 2012...

Even if you do find out how or what happened, you need the data back. You *do* have a recent backup somwhere... right?

You *do* have backups, right....?

I remember reading through the multi-hundred page MS-DOS 3.3 manual, remembering the commands. I remember reading through the text files on my "teach yourself C" CD with it's Symantec C compiler, and from that made DOS based graphics interface EXE files. I remember learning HTML basics by reading the RFC after downloading them from work ( oh joy, a 2 megabit connection at work in 1998 along with 40 PPM printers :D ). All the basics of opening, reading and writing to files, were as valid in C in 1995 as they are today in PHP, but I am continually surprised by the level of some developers I work with. I'm in a PHP house at the moment. They all want to make their own "frameworks", but when it comes to raw language, how to read and write to a file, error handling, bounds checking, loop control (come on now!), the young'uns today seem to have lost the basics. Ok you can build a castle on sand, but don't expect it to last the centures before it falls over. Come on guys. If you are really lost, go bug your local library and borrow somthing written by Donald Knuth along with a language reference. If you cannot solve the problem with that, *then* come here and yell for help! I don't mind people using the internet to look things up, it's the best reference manual there is today, especially as Einstein is supposed to have said somthing like "the most important is not to know, but to know where to look", but you really have to push this one just a tad further. "Seek and ye shall find", but "understand and ye shall know". This one people tend to forget. I'll help people who help themselves :) In the end though, I really get the feeling that I am the last of my species: The self taught geek who relys on his own brain. Oh well. I'll still try to make the most of it while it lasts !!! Cheers, Daniel

I had a similar problem; I noticed that my battery life had dropped over 2 weeks from 2 hours to 40 minutes, and from time to time the power light on the front of the computer would flash when the computer was charging. I downloaded the HP Battery Check from their support website to check the battery, which told me to contact HP as my battery was damaged (and the pc was under warranty). This did not solve the problem as the battery would charge 2% then the power light would flash again (and would not charge). As the whole pc was under warranty, I sent my old battery, my new battery and the portable to HP and they ended up changing the internal charge management card, and I believe the mainboard too... You can search HP's site for more info. What PC do you have? (I'll look up their maintenance manual for your beast :-) ) Other solution; if you are still under guarantee, send it back, if not, either get a guarantee extension or think about a new PC! Cheers, Daniel

A clicking sound is never good... Head crash (head bouncing of the disk platters...) IBM / Fujitsu had this problem with their Deathstar deskstar line of drives and it's infamous "click of death". Best way is to get a SMART analysis tool (Google for Speedfan), read the SMART help and check out the drives SMART attributes. When I worked for IBM as desktop support, we would regularly have replacement hardware delieverd that we would have to mark as "new-defect"... Someone in the central parts store would repack a bad drive and restock it... We did not pay for the parts, but for a general public user, this starts to be a nightmare... Forget trying to rebuild the raid, plug the drive in as a standalone drive and check SMART... - Do this with the replacement drive that they send you back too - probably find that the bad sector count is high and the overall drive health warrants a replacement, otherwise, leave the computer alone over a weekend and let the array rebuild... best would be to rebuild the array from the BIOS, and not from Windows as that way there is no concurrent drive access between the RAID bios reconstructing the drive, and I/O requests from Windows at the same time, and the construction will be faster. Good luck! Daniel -- modified at 17:04 Tuesday 8th August, 2006