What is the sense to use salt for member login?

Hello all,
 I was wondering what is the sense to use salt at all? What kind of use it can bring or maybe better to ask how to use it?
If user is wants to log in and typing his/her user name and password while we process the data what is the sense to do this;
# I assume we got the all info, connected to database etc
$salted_password = $salt.$form_password

Open in new window

Since we take the user name information from form input, compare it in our database if there is any match, and if there is we get the salt from database and combine it with users password so what good it can bring?

 Maybe I just understood the usage wrong, I will be glad if anyone could explain me this whole process why it is making our log in system more secure?

 Thank you for your help and concern in advance.
LVL 2
pixalaxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Beverley PortlockCommented:
I don't know why anyone would use a "salt" for a user login. Salts are usually used to reset random-numer generators or as a starting point for an iterative process.
0
pixalaxAuthor Commented:
Hello bportlock,
 Firstly thank you for your reply. You wrote, usually used to reset random-number generators or as a starting point for iterative process. I got the part of random-number generators but I didn't get the part for starting point for iterative process. What kind of iterative process?
 I'm also integrating my system with a forum, I use my own members table instead of forums. I just saw a salt part there and also read some articles that it is increasing security, I just didn't get the point.
 My understanding here about salts depending on your answer is to use it when a member wants to reset his password to generate new one. I would be glad if you can explain what kind of iterative process I can use it for (a simple example would be enough).
0
tsmgeekCommented:
salts are usualy used when you are hashing passwords... ie the most common is...

$username_hashpass=sha1($username.$password);

You then store the hashpass in the DB, that way the hash is only ever unique to the user even if two users have the same password.
0
Beverley PortlockCommented:
"What kind of iterative process?"

Certain iterative equations can exhibit vastly different results resulting from very small changes in the initial starting conditions. This is often referred to as "chaotic behaviour" and one of the best known examples is the complex number equation z2 = -1 (that's zed squared, not zed two). Sometimes these chaotic outputs are used to generate textures or graphic items and the "salt" is used to introduce variations in the output to produce a more natrualistic finish.

These iterative equations are not confined to producing graphics, but the immense variations that can be produced by a small change in starting conditions make them ideal for the production of certain kinds of data set.

"when a member wants to reset his password to generate new one. I would be glad if you can explain what kind of iterative process I can use it for (a simple example would be enough)."

The key points for any password are:

1. Length - the longer the better
2. Randomness - the more random the better

The problem is that the ideal password is impossible to remember so you must compromise the security in some way to allow the fallible human to remember the password.

One simple approach is to use 500 common words of between 3 and 5 letters and place them in an array. Then generate two random numbers and use this to select two of the words. This gives you 500 * 500 = 250,000 combinations which is not enough, so generate a 4 digit number as well to use are part of the password and you now have 2,500,000,000 combinations and a password length of 10 to 14 characters. Next put some separators in such as - _ . + ! so you get passwords like hello-1234-day which a user can remember. If you then pick a couple of letters at random and make them upper case then the number of combinations is now in the ten of billions but the user and probably still remember the password like hello-1234-dAy.

You can run several variations on this approach which, on the face of it, is less secure than simply generating a 14 character sequence of nonsense like ^tYhs#a49DaGG= but since users will never remember nonsensical sequences, completely random sequences tend to get written down and stuck to the keyboard thus rendering then completely useless.

Some passwords are more important than others, but for "normal" accounts a scheme like the one outlined above has enough entropy in it to be safe.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pixalaxAuthor Commented:
Thank you all.
I do following for members password security;
 I have pwkey cell in my members table.
1. It is using this key to generate 64-bit encryption.
2. I have crpyto table in my database and members record with 10 digits 2nd key to make 2nd encryption (again 64 bit).

I believe (and hope) this is enough security.

So basically I was doing what salt was for. I just got confused because of 1-2 articles was using $salted_pw = $salt.$user.inputpw so I didn't understand the sense of this $salt variable. I just wanted to be sure, so I decided to ask experts opinion.

Thank you all for your time and concern.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.