29 Sep 2013, 15:17
Generic-user-small

craig ferry (12 posts)

In the preface on of the goals of the book is to write web application using current best practices.

Given that admiral goal, I think the user table in the database should have an extra column for a salt and a small section be added explaining about the importance of having a salt to protect against rainbow attacks.

29 Sep 2013, 21:28
Profile_pic_pragsmall

Dmitri Sotnikov (35 posts)

That is a good suggestion. While the main focus is on Clojure specific best practices, security is obviously an important aspect.

It’s worth noting that the passwords are hashed using BCrypt. A salt will be generated when the encrypt function is called without one being provided. While it’s obviously better to keep a separate salt, it’s better than nothing.

If I get the chance I’ll try and expand the section to at least mention salts and their purpose.

30 Sep 2013, 12:59
Generic-user-small

craig ferry (12 posts)

Sorry Dmitri,

Thats my bad. I didn’t realise that bcrypt stored its version, cost factor, salt and password all in one field.

That certainly makes setting things up almost effortless and with very little code needed.

I think maybe just a paragraph or two explaining the importance of salts would raise awareness and then an explanation that bcrypt does this for us without effort on our part for those of us that weren’t aware how easy bcrypt makes this for us.

30 Sep 2013, 13:26
Profile_pic_pragsmall

Dmitri Sotnikov (35 posts)

I’ve updated the Clojure Web Stack chapter where I introduce BCrypt with the following explanation:

The reason for salting passwords is to prevent rainbow table attacks. A rainbow table is effectively a dictionary containing pre-calculated hashes along with many common passwords used to generate them. Such a table is optimized to make hash look ups efficient and allows the attacker to easily discover the original password string given its hash.

The salt constitutes a randomly generated string that is concatenated with the hashed password. The final hash that’s generated is no longer susceptible to the attack described above.

30 Sep 2013, 14:18
Generic-user-small

craig ferry (12 posts)

Great

  You must be logged in to comment