I'm preparing to put a project publicly on github. In my project, for login authentication, I take a string and strongly type it as a Password
:
// Stripped down here on SO for brevity
public class Password
{
private const string salt = "sealab2021";
public Password(string password)
{
this.saltedPasswordHash = new MD5Hash(password + this.salt).ToString();
}
public string SaltedHash { get; private 开发者_如何学运维set; }
}
Obviously, if the salt is publicly-viewable, the salt's worthless.
What do other people do to salt passwords in open-source projects and still keep the salt phrase securely hidden?
Should the salt exist somewhere on the file system and be loaded when the application starts? Seems like a reasonable solution, but if I'm going to actually use github for source control and not just do dumps to github when new versions are released, that file's still going to be accessible to the public.
Obviously, if the salt is publicly-viewable, the salt's worthless.
Not true. You should assume that the salt is potentially known to an attacker, rather than relying on security-through-obscurity.
Your mistake is that you're using a single, shared salt for the entire system. You should use a separate, pseudo-random salt for each user, and then store that salt with the password hash for that user.
I would also recommend using a system like PBKDF2 or bcrypt rather than a simple salted hash.
First, salts don't need to be secret. They need to be random. A salt is meant for situations when the attacker has already compromised the database (and often the filesystem). That means they have access to the hashed passwords and salts. However, the salts still greatly increase the effort needed to get the plaintext password.
More importantly, login salts should be random and per-user. Generate a random value when the user is created. If you want to use two salts (one per-user, and one per-installation), generate a random value in a setup script.
Finally, this is not a open source/proprietary issue. Such hard-coded values can easily be reverse-engineered from proprietary software.
精彩评论