Clever Geek Handbook

Does accidentally overwrite a salted password when enhancing login security?

I am currently working on a PHP project and am wondering how to make my system as secure as possible now. I currently use password_hash

to hash my passwords and then store them in my database. What I was wondering: is it overwriting and re-saving the new salted hash to the database, improving security, or is it just an illusion?

+3


source to share


3 answers


I don't think it will increase security, no. You have two risk scenarios:

  • The cracker crashes into the server and stays there for a short time. In this case, passwords can only be captured programmatically at login. This requires much less effort than forcing strong hashing algorithms.
  • The cracker will hack, steal a copy of the database, and in response sysadmin plugs in a security hole and quickly restores the server from the backup.

In the second case, the attacker has a bunch of usernames, email addresses, and hashed passwords that they might want to force them to try. There is no advantage if these hashes were generated one or more times.

It is worth remembering what we are trying to protect here. If the security of the website has been compromised, there is a knocking effect on users who have used the same username and password combination on other popular services. The main reason for hashing and the purpose an attacker uses in brute-force passwords is to check if users can be hacked elsewhere (for example, on their social media or bank accounts).



This is why we recommend people not to reuse passwords, but instead should use strong passwords stored in a password manager. It's even better if people can use a different username and / or a different email for each service. By the way, it's surprisingly easy to use email for every service: if you're on GMail with an address gmail.alias@gmail.com

, just do the following:

gmail.alias+randomcode@gmail.com

Of course, the email should be stored in your password manager - if you forget about it, you won't be able to use the password reminder features and you will be blocked if the service doesn't want to accept some other ID. Regardless, this approach is stronger against the ripple effect of using a service that is broken - a weak password reminder system elsewhere is harder to use if users always use different email addresses.

Users with their own domain name can do something similar - set up an email account to "catch everything" and then use whatever aliases you like.

+5


source


Computing a new hash with a new salt every time a user logs in will not improve the security of your system.



Since the password will be the same and only the salt will change, a cracker with access to the hashes can brute-force the same cost. Changing the salt will not improve safety, salt is no secret, it does its job completely even if known. Hiding or changing doesn't add any meaning (hiding is difficult and there are better methods to add a secret than hiding the salt).

+2


source


First of all, I am not a cryptographer. I had a cryptography class at university, but that doesn't make me an expert.

The reason for the salt is that a dictionary hash attack won't work. Since the same password can be combined with many different salts, there are many different hashes. Thus, it is not possible to have a simple hash for the password table, which would be possible without salt.

Thus, there is no additional benefit of reusing the password with a different salt. New salt should be just as random as old salt and therefore just as safe.

However, if the password does not change for a long time, it can be hashed using a hashing algorithm that was good at hashing time but is poor now. PHP has built-in functions, especially for hashing passwords since PHP 5.5 .

The recommended way to work is explained on the PHP website, but it boils down to this: use password_verify

to validate the password, use password_hash

to encrypt the password. Use password_needs_rehash

to check if the password is corrupted with a secure hash. If it is not, rename it or ask the user to change it (depending on security policy).

+2


source






More articles:


All Articles