I was doing a little research or googling for different methods of handling password hashing and salting and came across this interesting link:
Now, essentially what this proposes is the creation of two user functions, one for hashing and one for checking the hash.
The salt is pseudo random but is in actual fact based upon the password (strikes me as bad?).
The hashing function also pseudo randomly "sprinkles" the salt amongst the hash string.
The hash checking function reverses the salt sprinkling and then the actual hash check takes place.
Now, I'm aware that unique salts for each password hash = good, but also that having the logic to hash the passwords and create the salt stored in a db function might = bad.
I like the idea that the salt isn't obvious and that it also needn't be based on some hopefully consistent value such as username, userid, date of birth etc, but as I said I do have my doubts as to the implementation.
So, what are people's opinions and ideas of "best approach solutions"?
I can't view the link in the original question (the website just returns a 404 not found error), but the method described in the question is not really using a salted hash.
In essence, this method is just using a non-standard hash: given a specific password, there is one unique value that will be stored in the database. This is all that is needed to make a rainbow tables attack work: I can precompute the hash value for a dictionary of likely passwords and look for any matches. Now, I will have to precompute rainbow tables specifically for this non-standard hash function.
In a proper implementation of salted hashes, when the passord is created, a random salt is combined with the password and hashed. Then random salt used and the hash are stored. Even if I know the password, I cannot predict what the hash will be since there will be a different hash for each of the many possible salt values. Now an attacker needs to precompute a rainbow table for each possible salt value: this takes a much larger effort.
There have been many similar questions asked before:
That should get you an idea of how to hash passwords.