Geek Answers Handbook

Can someone explain how salts help in storing hashed passwords?

It’s hard for me to understand how the salt added to the hash helps improve security when a password database or other important information crashes.

If the salt is, for example, "hello" and the password is added to the password, then the salt and password are stored together, "hellopassword" and hashed to create:

94e66f94517d606d5ad6d9191b980408952f2ed2 (sha1)

with salt added:

 hello$94e66f94517d606d5ad6d9191b980408952f2ed2

How is it safer? The attacker knows the salt, so now it can calculate passwords with a little extra difficulty ... right? Or am I fundamentally misunderstanding something?

+7
hash salt sha1
source share
3 answers

No, not with “minor additional difficulties” - with potentially significantly greater difficulties.

Imagine there are two billion shared passwords. It is easy to hash all of these and store the results. Then, if you have a failed password hash, you can simply check which shared passwords match this hash.

Now compare this to the salty hash ... now you have two billion shared passwords, but also several billion possible salts. The calculation of all possible combinations of salts / passwords will take a lot of time, much longer - I hope it becomes impracticable.

In addition, this means that even if two people have the same password, they will most likely have different hashes, so the carelessness of one user when revealing their password does not threaten the security of the other.

See the Wikipedia entry for more details (if you haven’t done so already).

+8
source share

salt helps in two ways:

1) When two (or more) people use the same password, without salt, you can see who uses the same password (hashes anyway). So theoretically, if this person knows one of these passwords, he knows all passwords with the same hash. This is a small reason.

2) The main reason is to prevent attacks, commonly called dictionary attacks or rainbow attacks. In these attacks, someone uses a database of pre-calculated hashes for shared passwords. Often these databases are large in size. But at this point it is very easy to simply look at the hashes that you have (a hashed password) against the list of precomputed hashes and see what is connected with this password.

Using the salt value (as a rule, you want it to be a random number) the hash will not correspond to the dictionary (the probability of their preliminary calculation of all passwords with all possible salt values ​​is exponentially more complicated). Therefore, even if your user uses an easily attacked password, say, “Password”, which is pretty much guaranteed to be in any password / rainbow dictionary, pre-expecting your random salt value, you make the hash pretty much guaranteed to be useless to the attacker. Meanwhile, for you, since the salt is simply stored in the clear, it is very easy for you to add it to your text to compare the password entered by the user.

+6
source share

Salt is not added to the hash; it is added to the THEN hashed password. This is safer because hackers need to know the salt and the actual password, which you must both protect and be strong .: D

+3
source share

More articles:


All Articles