21

I'm developing an authentication service.

I know the practice of generating a unique salt per user, stored in the DB with the hashed password, to prevent rainbow tables attacks.

I just had the idea of adding a second salt, inside the code, not existing in the DB, so if the database is leaked (but not the code), even weak passwords are not vulnerable to brute-force.

I seems to be a good idea to me, but as I'm not an expert I'd like to have the confirmation of people who are good in information security.

IggY
  • 378
  • 2
  • 7
  • Why wouldn't you just hash the password like normal, then AES encrypt it with a secret key, rather than using 2 salts? – Petah Sep 10 '15 at 00:18

1 Answers1

33

Your second "salt" is a concept which has been described as "peppering". Basically, it works, but has the drawback of implying key management (the "pepper" being really what cryptographers would call a secret key): when you update the software, or switch to newer machines, you have to take care of transferring the pepper value, otherwise you will make all your hashes unverifiable.

Peppering is best done by first computing the hash in the normal way, and then computing some HMAC over it, with the pepper as key. In the database, you store the hash parameters (salt, iteration count) and the HMAC output (but not the hash value itself, of course). This works, notably, because HMAC is deterministic.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • @Dogeatcatworld That link is not working for me. – kasperd Sep 09 '15 at 20:05
  • Is using HMAC over AES encrypting the password hash better? – Petah Sep 10 '15 at 00:19
  • HMAC is harder to get wrong, and thus limits the scope for catastrophic programming mistakes. Doing plain encryption allows for, potentially, decrypting _en masse_ all the passwords, if removing the pepper from the whole system happens to become desirable; however, doing encryption properly requires some extra care. – Tom Leek Sep 10 '15 at 01:13
  • 1
    I disagree with the latter suggestion. It allows an attacker who knows only the salt to calculate the difficult portion of the password hash, meaning they would have a head start before compromising the pepper. – otus Sep 10 '15 at 08:48
  • I agree with otus, it is best to append the salt and pepper somehow in order to prevent precomputation attacks – Richie Frame Sep 10 '15 at 09:54