9

Salts are supposed to be unique and randomly generated for each user when storing passwords. Is there a reason why we can't generate these salts with a cryptographic hash function using the username as the input?

It appears to me that these hashes would give the properties we desire, and we wouldn't have to use additional storage space for the salts.

gbooooooo
  • 93
  • 3
  • 1
    After more searching, I found a reason why you shouldn't use a hash of the username as a salt:

    The user name does not change when the user changes their password. An attacker seeing the old hashed password and the new hashed password may attack both at a cost less than twice the cost of attacking one.

     – gbooooooo Jul 24 '13 at 17:30
  • Yes. Each new hash should have a new salt, otherwise by cracking one hash and saving all previous attempts, you now have a rainbow table to start with for all future password changes by that user. – KeithS Jul 24 '13 at 17:40
  • @gbooooooo Congratulations, the results of your own research are absolutely correct. (Now, all that's left to do is to post your comment as an answer to your own question and accept it.) – e-sushi Jul 24 '13 at 18:20

2 Answers2

10

Good salts are unique over the whole range of space-time.

A user does not change his name when he changes his password: that's a failure of uniqueness over time. (Similar case: an old user account is closed, a new user is registered and reuses the same name.)

A user has the same name on several distinct servers, which may employ the same hashing strategy: that's a failure of uniqueness over space. (Think, in particular, of all these users called "Administrator".)

User names are thus rather sloppy as salts. They are much better than no salt at all, but it is highly recommended to use proper random salts instead. 16 bytes (or more) from a cryptographically strong PRNG will give you much better uniqueness.

Tom Leek
  • 172,594
  • 29
  • 349
  • 481
2

Think about most wanted usernames like tom, admin, user...

If you create x rainbow tables for the x most wanted usernames, then, for these x users, the attacker have just to look in the rainbow table for that username.

user138016
  • 29
  • 2
  • 1
    How does this answer differ from the accepted one? – techraf Feb 01 '17 at 12:20
  • @techraf: oops, I didnt read the part "Think ... of all these users called Administrator" and the part "A user has the same name on several distinct servers" seamed to suggest it would be only a problem if the same user has the same name. But I think the most important issue are the often used usernames. Now, I would just add a comment instead of create new answer. – user138016 Feb 01 '17 at 16:18
  • this answer is about predictability, the accepted answer is more about absence of uniqueness – user138016 Feb 01 '17 at 16:33