Opinions on Dual-Salt authentication for low sensitivity user accounts?
- by Heleon
EDIT - Might be useful for someone in the future...
Looking around the bcrypt class in php a little more, I think I understand what's going on, and why bcrypt is secure. In essence, I create a random blowfish salt, which contains the number of crypt rounds to perform during the encryption step, which is then hashed using the crypt() function in php. There is no need for me to store the salt I used in the database, because it's not directly needed to decrypt, and the only way to gain a password match to an email address (without knowing the salt values or number of rounds) would be to brute force plain text passwords against the hash stored in the database using the crypt() function to verify, which, if you've got a strong password, would just be more effort than it's worth for the user information i'm storing...
I am currently working on a web project requiring user accounts. The application is CodeIgniter on the server side, so I am using Ion Auth as the authentication library.
I have written an authentication system before, where I used 2 salts to secure the passwords. One was a server-wide salt which sat as an environment variable in the .htaccess file, and the other was a randomly generated salt which was created at user signup.
This was the method I used in that authentication system for hashing the password:
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
//create a random string to be used as the random salt for the password hash
$size = strlen($chars);
for($i = 0; $i < 22; $i++) {
$str .= $chars[rand(0, $size - 1)];
}
//create the random salt to be used for the crypt
$r_blowfish_salt = "$2a$12$" . $str . "$";
//grab the website salt
$salt = getenv('WEBSITE_SALT');
//combine the website salt, and the password
$password_to_hash = $pwd . $salt;
//crypt the password string using blowfish
$password = crypt($password_to_hash, $r_blowfish_salt);
I have no idea whether this has holes in it or not, but regardless, I moved over to Ion Auth for a more complete set of functions to use with CI.
I noticed that Ion only uses a single salt as part of its hashing mechanism (although does recommend that encryption_key is set in order to secure the database session.)
The information that will be stored in my database is things like name, email address, location by country, some notes (which will be recommended that they do not contain sensitive information), and a link to a Facebook, Twitter or Flickr account. Based on this, i'm not convinced it's necessary for me to have an SSL connection on the secure pages of my site.
My question is, is there a particular reason why only 1 salt is being used as part as the Ion Auth library? Is it implied that I write my own additional salting in front of the functionality it provides, or am I missing something?
Furthermore, is it even worth using 2 salts, or once an attacker has the random salt and the hashed password, are all bets off anyway? (I assume not, but worth checking if i'm worrying about nothing...)
