Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

What is the point in showing salt in passwords? 
 
grisevg
Jr. Member
 
Total Posts:  3
Joined:  2011-06-20
 

Hi,
I’ve been reseting my admin password and seen how password hashing is implemented:

public function hash($data)
    
{
        
return md5($data);
    
}
public function validateHash($password$hash)
    
{
        $hashArr 
explode(':'$hash);
        switch (
count($hashArr)) {
            
case 1:
                return 
$this->hash($password) === $hash;
            case 
2:
                return 
$this->hash($hashArr[1] $password) === $hashArr[0];
        
}
        Mage
::throwException('Invalid hash.');
    
}

What is the point in showing salt and even allowing having password without a salt?
Well, default hash tables won’t work here, but still md5 hacked really easy nowadays when you have salt.

Don’t you think salt should be stored somewhere in config?
And this probably been told a thousand times but why on earth md5 and not sha1?

PS:Sorry if this issue was raised already, but I could find a thread with it.

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hello,

first: you’re right, md5 is not save anymore. It would be much better to use mage/encryption instead of simple md5 with a short salt.

In fact the salt is only used too add more characters to a password. Magento uses 2 random characters, so it’s not necessary to store it somewhere in the config.

And, at all, if an attacker would get access to the database the admin-credentials are the lowest problems. Stored credit-/debit-card data, customer data, etc… are a bigger problem (in my eyes).

 
Magento Community Magento Community
Magento Community
Magento Community
 
grisevg
Jr. Member
 
Total Posts:  3
Joined:  2011-06-20
 
thebod - 19 December 2011 12:18 AM

In fact the salt is only used too add more characters to a password

There is not much point in it, since if hacker knows salt he can use it in dictionary or brute force attack. They only thing it help from is hash tables.
Is it in the milestones somewhere? It shouldn’t be too hard to implement.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Extendware
Sr. Member
 
Avatar
Total Posts:  231
Joined:  2011-08-04
 

A salt has to be retrievable.

A salt is not meant to stop a brute force attack on an individual password. It is meant to stop a rainbow table attack across the whole list of passwords.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top