He can then compare each hash in the rainbow table to each hash in the
password file. Since a password always hashes to the same value, the attacker obtains
all the dictionary passwords in one fell swoop.
This attack can be prevented by salting the passwords when hashing them. Compare
the following code:
require 'digest/sha1'
$hashes = {}
$salts = {}
def hash(password, salt)
Digest::SHA1.hexdigest("--#{salt}--#{password}--")
end
Application Issues | 129
def generate_salt(login)
Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{login}--")
end
def store_password(login, password)
salt = $salts[login] = generate_salt(login)
$hashes[login] = hash(password, salt)
end
def verify_password(login, password)
$hashes[login] == hash(password, $salts[login])
end
store_password('alice', 'kittens')
store_password('bob', 'kittens')
$hashes # => {"alice"=>"955b034a284ed2405c8f1a275e2191484161b1c5",
# "bob"=> "2f7ef18f0f50efd2b8684c49e85befc95509a74f"}
$salts # => {"alice"=>"0682a0e26655e234ee45ea6a68af8ebd3e2c0eaf",
# "bob"=> "6116fb3dc0e9824b7c99e81f6dac6c17b7a6257b"}
verify_password('alice', 'kittens') # => true
verify_password('alice', 'mittens') # => false
verify_password('bob', 'kittens') # => true
This method ensures that the same password will hash to different values with a high
probability. The acts_as_authenticated plugin (http://technoweenie.stikipad.com/
plugins/show/Acts+as+Authenticated) salts passwords by default.
Pages:
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201