0

I've been reading about password hash functions and it's said: use a salt to make harder the hacker's work, use a height cost algorithm, etc I've found this password_hash function but... it returns this (letters are an example to explain)

AAAACCCSSS....SSSHHH.....HHHH

Example:

You can find here an example

Where:

  • AAA is the algorithm
  • CCC is the cost
  • SSS....SSS is the salt
  • HHH.....HHHH is the hash we get

It is supposed (I think) that the algorithm, cost and salt is used to make the life harder to hackers, and if I use that my hash will be safer

But, what happened if I use all of them but I say to the hackers that I'm using this salt, algorithm and cost?

Doing that I'm giving the hackers a lot of clues

I mean,

can I store in my database all the string?

or

must I to store the hash and the (algorithm,cost,salt) in different places?

If somebody gets my DB he has all the hash passwords.

Improve this question
3
  • 1
    you can store everything in the same field. that's what it's meant for. Commented Feb 8, 2017 at 8:44
  • if somebody gets your DB, he has all the hashes. yes. but since they are safely hashed, with multiple passes of a modern algorithm and a secure salt, he won't be able to do anything with it, unless he has huge, huge, huge calculation capacities - contrary to a single, unsalted pass of MD5, which he can just look up at a rainbow table. but now, instead, he has to brute-force it Commented Feb 8, 2017 at 8:48
  • upvoted you for "10$" = "algorithm cost" Commented Feb 8, 2017 at 9:05

2 Answers 2

Reset to default
1

The security does not come from the information being secret. It comes from the algorithm being very computationally expensive.

The attack here is to guess a plaintext which, when hashed with the given algorithm and salt and cost, will result in the same hash value. Even with all the information given (except the plaintext obviously) and assuming a strong (random) plaintext password, it takes many many years, possibly millennia, to find one such value. And that's just for one password hash, to say nothing of a whole database of hashes.

The protection is in using an algorithm costly enough to make guessing infeasibly slow, not in keeping details of the algorithm (which salt and cost are) secret.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Yes, I see, but ... If I know the hash and I can't access to the salt and the algorithm ... it was harder, isn't it?
Sure… but it's already hard enough, and it's unlikely that you can hide the salt somewhere where an attacker wouldn't have access to it anyway. Because you need the salt too, and you're likely only making your own life harder.
1

The purpose of salt is to make sure that hashes are uniquely generated and cannot be looked up in an existing database such as MD5 Decrypt. Even if a salt is leaked the attacker would have to break each hashed password individually.

can I store in my database all the string?

Yes, you may store it in the database as whole just like WordPress does.

If somebody gets my DB he has all the hash passwords.

Yes but as I mentioned the hashes are of no use unless the passwords are individually cracked using brute force and that would take an insane amount of computation cost.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.