I came across a discussion in which I learned that what I'd been doing wasn't in fact salting passwords but peppering them, and I've since begun doing both with a function like: hashfunction($salt.hashfunction($pepper.$password)) multiple iterationsIgnoring the chosen hash algorithm (I want this to be a discussion of salts & peppers and not specific algorithms but I'm using a secure one), is this a secure option or should I be doing something different? For those unfamiliar with the terms:.A salt is a randomly generated value usually stored with the string in the database designed to make it impossible to use hash tables to crack passwords. As each password has its own salt, they must all be brute-forced individually in order to crack them; however, as the salt is stored in the database with the password hash, a database compromise means losing both.A pepper is a site-wide static value stored separately from the database (usually hard-coded in the application's source code) which is intended to be secret.
Management trainees program. In addition to ensuring workflow productivity, their responsibilities include managing employees, leading aspects of inventory management, scheduling, and financial reporting.Rental Management Trainees deliver best-in-class transportation solutions to our commercial customers. Management Trainee ProgramsOperations Management Trainees assist management across Fleet Maintenance, Asset Management, Operations, Sales, and Rental.
It is used so that a compromise of the database would not cause the entire application's password table to be brute-forceable.Is there anything I'm missing and is salting & peppering my passwords the best option to protect my user's security? Is there any potential security flaw to doing it this way?Note: Assume for the purpose of the discussion that the application & database are stored on separate machines, do not share passwords etc. So a breach of the database server does not automatically mean a breach of the application server. Seeing as I need to write about this and, I'll do one last canonical answer on pepper alone. The Apparent Upside Of PeppersIt seems quite obvious that peppers should make hash functions more secure. I mean, if the attacker only gets your database, then your users passwords should be secure, right?
Seems logical, right?That's why so many people believe that peppers are a good idea. It 'makes sense'.
The Reality Of PeppersIn the security and cryptography realms, 'make sense' isn't enough. Something has to be provable and make sense in order for it to be considered secure. Additionally, it has to be implementable in a maintainable way. The most secure system that can't be maintained is considered insecure (because if any part of that security breaks down, the entire system falls apart).And peppers fit neither the provable or the maintainable models. Theoretical Problems With PeppersNow that we've set the stage, let's look at what's wrong with peppers.Feeding one hash into another can be dangerous.In your example, you do hashfunction($salt. $password)).We know from past experience that 'just feeding' one hash result into another hash function can decrease the overall security.
The reason is that both hash functions can become a target of attack.That's why algorithms like use special operations to combine them (hmac in that case).The point is that while it's not a big deal, it is also not a trivial thing to just throw around. Crypto systems are designed to avoid 'should work' cases, and instead focus on 'designed to work' cases.While this may seem purely theoretical, it's in fact not. For example,. So passing bcrypt(hash(pw), salt) can indeed result in a far weaker hash than bcrypt(pw, salt) if hash returns a binary string.Working Against DesignThe way bcrypt (and other password hashing algorithms) were designed is to work with a salt. The concept of a pepper was never introduced.
This may seem like a triviality, but it's not. The reason is that a salt is not a secret.
It is just a value that can be known to an attacker. A pepper on the other hand, by very definition is a cryptographic secret.The current password hashing algorithms (bcrypt, pbkdf2, etc) all are designed to only take in one secret value (the password). Adding in another secret into the algorithm hasn't been studied at all.That doesn't mean it is not safe. It means we don't know if it is safe. And the general recommendation with security and cryptography is that if we don't know, it isn't.So until algorithms are designed and vetted by cryptographers for use with secret values (peppers), current algorithms shouldn't be used with them.Complexity Is The Enemy Of SecurityBelieve it or not,. Making an algorithm that looks complex may be secure, or it may be not.
But the chances are quite significant that it's not secure.Significant Problems With Peppers.It's Not MaintainableYour implementation of peppers precludes the ability to rotate the pepper key. Since the pepper is used at the input to the one way function, you can never change the pepper for the lifetime of the value. This means that you'd need to come up with some wonky hacks to get it to support key rotation.This is extremely important as it's required whenever you store cryptographic secrets. Not having a mechanism to rotate keys (periodically, and after a breach) is a huge security vulnerability.And your current pepper approach would require every user to either have their password completely invalidated by a rotation, or wait until their next login to rotate (which may be never).Which basically makes your approach an immediate no-go.It Requires You To Roll Your Own CryptoSince no current algorithm supports the concept of a pepper, it requires you to either compose algorithms or invent new ones to support a pepper. And if you can't immediately see why that's a really bad thing:Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break.NEVER roll your own crypto.The Better WaySo, out of all the problems detailed above, there are two ways of handling the situation.Just Use The Algorithms As They ExistIf you use bcrypt or scrypt correctly (with a high cost), all but the weakest dictionary passwords should be statistically safe. The current record for hashing bcrypt at cost 5 is 71k hashes per second. At that rate even a 6 character random password would take years to crack.
And considering my minimum recommended cost is 10, that reduces the hashes per second by a factor of 32. So we'd be talking only about 2200 hashes per second. At that rate, even some dictionary phrases or modificaitons may be safe.Additionally, we should be checking for those weak classes of passwords at the door and not allowing them in. As password cracking gets more advanced, so should password quality requirements. It's still a statistical game, but with a proper storage technique, and strong passwords, everyone should be practically very safe.Encrypt The Output Hash Prior To StorageThere exists in the security realm an algorithm designed to handle everything we've said above.
It's a block cipher. It's good, because it's reversible, so we can rotate keys (yay!
Crack Hash Online
It's good because it's being used as designed. It's good because it gives the user no information.Let's look at that line again. Let's say that an attacker knows your algorithm (which is required for security, otherwise it's security through obscurity). With a traditional pepper approach, the attacker can create a sentinel password, and since he knows the salt and the output, he can brute force the pepper.
Ok, that's a long shot, but it's possible. With a cipher, the attacker gets nothing.
And since the salt is randomized, a sentinel password won't even help him/her. So the best they are left with is to attack the encrypted form.
Which means that they first have to attack your encrypted hash to recover the encryption key, and then attack the hashes. But there's a lot of research into the attacking of ciphers, so we want to rely on that.TL/DRDon't use peppers. There are a host of problems with them, and there are two better ways: not using any server-side secret (yes, it's ok) and encrypting the output hash using a block cipher prior to storage.
@ircmaxell - On the other side, you would loose nothing. In the worst case, when the key becomes known, an attacker must still crack the BCrypt hash (same situation as without encryption). This is not the same as storing a key for encrypting data, this is about adding a server-side secret. Even a hardcoded key would protect those weak passwords, as long as the attacker has no control over the server/code. This situation is not uncommon: aside from SQL-injection, also thrown away backups, discarded servers can lead to this situation. A lot of PHP users work on hosted servers.–Jun 4 '13 at 20:14. Fist we should talk about the exact advantage of a pepper:.
The pepper can protect weak passwords from a dictionary attack, in the special case, where the attacker has read-access to the database (containing the hashes) but does not have access to the source code with the pepper.A typical scenario would be SQL-injection, thrown away backups, discarded servers. These situations are not as uncommon as it sounds, and often not under your control (server-hosting). If you use. A unique salt per password. A slow hashing algorithm like BCrypt.strong passwords are well protected. It's nearly impossible to brute force a strong password under those conditions, even when the salt is known. The problem are the weak passwords, that are part of a brute-force dictionary or are derivations of them.
The point of salt and pepper is to increase the cost of a pre-computed password lookup, called a rainbow table.In general trying to find a collision for a single hash is hard (assuming the hash is secure). However, with short hashes, it is possible to use computer to generate all possible hashes into a lookup onto a hard disk. This is called a Rainbow Table. If you create a rainbow table you can then go out into the world and quickly find plausable passwords for any (unsalted unpeppered) hash.The point of a pepper is to make the rainbow table needed to hack your password list unique. Thus wasting more time on the attacker to construct the rainbow table.The point of the salt however is to make the rainbow table for each user be unique to the user, further increasing the complexity of the attack.Really the point of computer security is almost never to make it (mathematically) impossible, just mathematically and physically impractical (for example in secure systems it would take all the entropy in the universe (and more) to compute a single user's password).