4

I need to derive a key from a username and a password. These are the only two things I have access to. What I thought is using PBKDF2 with username as the salt and password as the master password.

Could someone help me evaluate / confirm this solution in terms of security?

Update: Since the salts are required to be unique, I have thought about using the following as a salt:

HASH(USERNAME) XOR SOME_GLOBAL_CONSTANT

or perhaps

HMAC(SOME_GLOBAL_CONSTANT, USERNAME)

What do you think of this updated salt value?

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
Dirk Kaestner
  • 43
  • 3

2 Answers2

6

That's a reasonable solution if you can't use a random salt. If you personalize your hash function for your application, then the salt is globally unique for each user. (e.g. use sitename||username as salt) The only salt reuse happening is that older passwords of the same user have the same salt. But that's a very minor issue.

I disagree with Polynomial who wants unpredictable salts. Unpredictability is not necessary for most protocols involving password hashing. Global uniqueness or at least rareness is the decisive property.

To combine sitename and username I'd simply go with concatenating them. Your HMAC suggestion is certainly fine too. Your xor variant gives me a bit of a bad feeling, but is probably fine too.

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
2

This is a bad idea, explored a little in a question on Security SE.

A salt should be:

  • Unpredictable.
  • Unique, at least in your database and ideally worldwide.

It does not need to be secret.

A username is not unpredictable, and only just satisfies the uniqueness requirement.

A much better solution is to randomly generate the salt and verify that it doesn't match any salt you've already used. If verifying uniqueness is difficult, you could hash the username with a random salt concatenated, to get your final salt. This isn't bulletproof, but it does help reduce collisions.

Community
  • 1
Polynomial
  • 3,577
  • 4
  • 30
  • 45