开发者

Salting passwords in open-source projects

问答 作者:

I'm preparing to put a project publicly on github. In my project, for login authentication, I take a string and strongly type it as a Password:

// Stripped down here on SO for brevity
public class Password
{
    private const string salt = "sealab2021";

    public Password(string password) 
    {
        this.saltedPasswordHash = new MD5Hash(password + this.salt).ToString();
    }

    public string SaltedHash { get; private 开发者_如何学运维set; }
}

Obviously, if the salt is publicly-viewable, the salt's worthless.

What do other people do to salt passwords in open-source projects and still keep the salt phrase securely hidden?

Should the salt exist somewhere on the file system and be loaded when the application starts? Seems like a reasonable solution, but if I'm going to actually use github for source control and not just do dumps to github when new versions are released, that file's still going to be accessible to the public.

Obviously, if the salt is publicly-viewable, the salt's worthless.

Not true. You should assume that the salt is potentially known to an attacker, rather than relying on security-through-obscurity.

Your mistake is that you're using a single, shared salt for the entire system. You should use a separate, pseudo-random salt for each user, and then store that salt with the password hash for that user.

I would also recommend using a system like PBKDF2 or bcrypt rather than a simple salted hash.

First, salts don't need to be secret. They need to be random. A salt is meant for situations when the attacker has already compromised the database (and often the filesystem). That means they have access to the hashed passwords and salts. However, the salts still greatly increase the effort needed to get the plaintext password.

More importantly, login salts should be random and per-user. Generate a random value when the user is created. If you want to use two salts (one per-user, and one per-installation), generate a random value in a setup script.

Finally, this is not a open source/proprietary issue. Such hard-coded values can easily be reverse-engineered from proprietary software.

继续阅读:passwordssaltsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9