undefined | Better HN

0 pointsapgwoz17y ago0 comments

why would you need to transmit the unique salt? why would you transmit anything other than the form to the client? all the checks would be done on the server side.

a) user enters username/password

b) server looks up in a file the unique string and appends it to the password

c) server finds username's salted-password hash

d) server extracts hash from stored salted-password hash (possibly the first 4 characters or whatever)

e) server concatenates salt, plaintext password and unique string and hashes via sha-N/md5

f) server compares to stored salted-password and if same performs login. otherwise sends generic "invalid username/password combination" message.

0 comments

3 comments · 1 top-level

t0pj17y ago· 2 in thread

That's exactly what I'm doing.

I think stcredzero is concerned about the plaintext password passing through the pipes.

In this case, unique salts and hashes are used to simply protect the database; when the data is stolen, a rainbow attack will not effectively work.

Hashing those passwords also protects the user who uses the same email/id/password everywhere; if your db is compromised, you don't also compromise the user's identity (e-mail accounts, banking, etc).

It depends on the app, but I also think sending salts to the client and doing some md5/javascript in the browser is generally overkill.

apgwozOP17y ago

SSL certs are like $15/year. Not sure why people don't just get them instead of playing with md5/javascript...

tptacek17y ago

Could not agree any more strongly about this. You still need to use bcrypt to store passwords, because you will eventually screw up Unicode and SQL on a complicated form somewhere and give up your whole password database. But if you're willing to spend ever a quarter person/day on password auth, there is no economy at all to skipping SSL.

1 more reply

j / k navigate · click thread line to collapse