Is there any working difference between
$hash=sha1($key.$staticSalt);
and
$hash=sha1($key.$randomSalt);
If i use random salt i need to store the random salt in the database, on the other side if i use a fixed salt then no need to use DB !
And if the code can be hacked to see the salt (static) then the hacker will be able to see the database also with the hash and random salt :D
So does it worth it ?
What if i use a salt like @#kiss~89+.&&^me
?
Answer
Random salts have a tremendous benefit. If all accounts in the system use the same salt, an attacker can brute-force calculate hashes for that salt and break into all accounts with just one computational run. If they use different salts per account, brute-force only gets you into one account.
No comments:
Post a Comment