2

I have a PHP website storing user passwords encrypted and salted.

Method used is crypt($password, $salt). Salt is generated randomly.

Result is something like 

$2a$08$saltsaltsaltsaltsaltsaltsaHashHashHashHashHashHashHash

Now I have to login to this database using something different than PHP, e.g. .NET. Problem now: crypt() does not exist in .NET.

I am now thinking of rewriting crypt() in .NET and extract the salt from above password-hash.

Is it safe to make the salt used for hashing a password publicly available? Or do I weaken security extremely?

Nikki Erwin Ramirez
  • 9,676
  • 6
  • 30
  • 32
Michael Elerts
  • 21
  • 1
  • It's not clear what you mean by "public" here - you always need to know the salt in order to check a password, as you encrypt the user-entered password with the same salt and check that the result is the same as the original result. – Jon Skeet Jan 12 '15 at 07:19
  • public means, that e.g. to send the salt to anybody asking for it. A user could then recreate its own passwordhash on a local machine. – Michael Elerts Jan 12 '15 at 08:12

1 Answers1

0

Yes, sending the salt to anyone asking for it is insecure. Knowing it makes the number of possible values to guess much smaller and it is much easier to use brute force attacks to guess the original unsalted password. See this answer in security.stackexchange.com for more details.

Community
  • 1
  • 1
NextInLine
  • 2,126
  • 14
  • 23