What is SALT and how do i use it?

When I first asked this question, many years ago, I was asked in response, "What does salt do for food?" The answer is that it adds variety to food. The idea behind cryptographic salt is that it's something you add to the end or beginning of a string in order that two passwords that are identical don't hash to the same cryptographic value.

Consider this - if I had a password that was really common, like 'hello123', and then it hashed to the exact same cryptographic hash as all other 'hello123' passwords, couldn't I just look in the list of hashed passwords to see who else had the same cryptographic hash, and use my password on their account?


I am definitely not an expert, but the really short answer is that "salting" a line of text means to stick a few extra characters on the end of it. You could salt "salt" with "abcdefg" to get "saltabcdefg". This might be useful if "salt" happens to be a password that you'd like to make more difficult to guess.

Typically, the password+salt are transformed ('hashed') by some difficult-to-reverse process into a completely different string. This transformed string is then stored as the password, together with the plaintext of the salt, and the original plain text of the password proper is tossed away. When you want to check that someone has input the correct password, you combine whatever they've typed in with the salt that's listed in the password file and then hash the result. If the result matches the password hash you have on record, then you know that they've put in the right password.

Implementing a salt can be as easy as picking a string to serve as the salt and then making sure you keep track of it. But, you could vary the salt with each password, and then you'll have to have a way of keeping track of password+salt combinations as well as generating the variations. Of course, you'll probably also want to hash the password rather than saving the password's plain text, and so you'll have to pick a hash function. At this point, the problem has proceeded from salting proper to implementing a password security scheme.

For PHP, you might want to look at how some of the frameworks have implemented this. Two quick links, for CakePHP and Zend, respectively:

http://www.jotlab.com/2010/04/18/cakephp-rainbow-table-protection-behaviour/

http://www.zimuel.it/blog/2009/07/build-a-secure-login-with-zend-framework/

Tags:

Php

Salt