A salt is a value that is added to a password (or other secret) that you want to use in one direction. This means that it can be before, after, or somewhere inside the password, if its position and value are consistent for the given password set.
What he does is mitigate dictionary attacks β mostly shared password dictionaries previously hashed without salt β from using βguessingβ the password one way, until the attacker knows the hash. If each password has a different hash, this makes it very difficult for an attacker to create a dictionary optimized for cracking your passwords (they need a dictionary for each individual salt, and they also need to know where the salt was placed in each password).
Of course, in order for all this to be applicable, an attacker must have hashes of your passwords in the first place. This has nothing to do with attacking passwords, guessing them through some input prompt.
As for MySQL specifically, if you provide salt when hashing a password, make sure you write down which salt was somewhere. Then, when the user tries to authenticate, you combine this recorded salt value with a password (for example, during a crypt call), and if the received hash matches it, they entered the correct password. (Note that in no case does password hashing occur, therefore, in one way.)
cfeduke
source share