Magento - What is the point in showing salt in passwords? - Security - eCommerce Software for Growth

Log In

Username or Email

Password:

Forgot Password

or
Register

Skip to site navigation »
Skip to main content »
Skip to footer content »

Magento Forum

What is the point in showing salt in passwords?

grisevg Total Posts: 3 Joined: 2011-06-21 Ignore user	Hi, I’ve been reseting my admin password and seen how password hashing is implemented: public function hash($data) { return md5($data); } public function validateHash($password, $hash) { $hashArr = explode(':', $hash); switch (count($hashArr)) { case 1: return $this->hash($password) === $hash; case 2: return $this->hash($hashArr[1] . $password) === $hashArr[0]; } Mage::throwException('Invalid hash.'); } What is the point in showing salt and even allowing having password without a salt? Well, default hash tables won’t work here, but still md5 hacked really easy nowadays when you have salt. Don’t you think salt should be stored somewhere in config? And this probably been told a thousand times but why on earth md5 and not sha1? PS:Sorry if this issue was raised already, but I could find a thread with it.
	Posted: December 19 2011 \| top

thebod Total Posts: 81 Joined: 2010-08-11 Ignore user	Hello, first: you’re right, md5 is not save anymore. It would be much better to use mage/encryption instead of simple md5 with a short salt. In fact the salt is only used too add more characters to a password. Magento uses 2 random characters, so it’s not necessary to store it somewhere in the config. And, at all, if an attacker would get access to the database the admin-credentials are the lowest problems. Stored credit-/debit-card data, customer data, etc… are a bigger problem (in my eyes). Signature thebod.de - Hucke Media - @b_ike Need easy configurable shipping rates? Check out Thebod_Shippingrates or fork on Github
	Posted: December 19 2011 \| top \| # 1

grisevg Total Posts: 3 Joined: 2011-06-21 Ignore user	thebod - 19 December 2011 01:18 AM In fact the salt is only used too add more characters to a password There is not much point in it, since if hacker knows salt he can use it in dictionary or brute force attack. They only thing it help from is hash tables. Is it in the milestones somewhere? It shouldn’t be too hard to implement.
	Posted: December 19 2011 \| top \| # 2

Extendware Total Posts: 200 Joined: 2011-08-04 Ignore user	A salt has to be retrievable. A salt is not meant to stop a brute force attack on an individual password. It is meant to stop a rainbow table attack across the whole list of passwords. Signature #1 Magento extension provider Full Page Cache \| Site Speedster \| Ajax Cart \| Ajax Navigation \| Custom Order Numbers \| Spam and Bot Protection & More
	Posted: May 17 2012 \| top \| # 3

Magento Community

Magento Community

Back to top

Error code 293766605766

User name/Password