locked
SQL 2005\2008 Hashbytes - salt key RRS feed

  • Question

  • Hi,

     

    Does HashBytes in SQL server 2005\2008 use salt key? if yes what is the key length?

    i have found a coupld of posts specifying that there is an internal salt used but could find details about it's length

     

    Thanks,

    DBboy888

    Friday, April 23, 2010 6:23 AM

Answers

All replies

  • HASHBYTES does not, in itself, use a salt key.  You can do it yourself, and it has been suggested that you prefix the string to be converted with a salt string.   If the salt string is nonsensical and also uses non-Roman characters (try some symbols or some Chinese characters) it will make it much more difficult to attack the hash.

    Someone once suggested a string of 20 characters or so for the salt.  But that was just a suggestion.  (And, of course, the salt string needs to be secret as well.)

    RLF

    Friday, April 23, 2010 3:11 PM
  • According to different papers i have read and forums which i looked over, some mention that SQL Server uses an internal key for salt but the length will not be pulished in order not to make the attack easier. it is still advised to add a salt (to increase the string lengh) and make it harder to decode.

    I am a bit confused here.. can you please forward me to a paper which specify salt is not used?

     

    Thanks,

    DBBoy888

    Saturday, April 24, 2010 9:14 AM
  • No, I cannot find a paper that reveals that.  There is this Microsoft paper which may help you some:

    http://msdn.microsoft.com/en-us/library/cc837966.aspx

    Also, check out Raul Garcia's blog for points such as this

    http://blogs.msdn.com/raulga/archive/2006/03/11/549754.aspx

    You also might find the following, wide-ranging thread educational as several people discuss hashes, salts, and so forth.

    http://stackoverflow.com/questions/287517/encrypting-hashing-plain-text-passwords-in-database

    You will notice that many people refer to generating or adding their own salt.  Not that it is part of the algorithm, though it doubtless has some saltiness, but that the user defined salt is necessary to avoid dictionary and other attacks.

    RLF

    Saturday, April 24, 2010 7:03 PM