I mean, for example you use salting to protect your password against a dictionary attack. But when I know that the salt from User X is jd38d83h8fh08h (because it is saved as plain text together with the password), I could use this salt with every word in my dictionary. Why is it safe to save a salt as plain text?
Asked
Active
Viewed 1,546 times
3
user
- 7,670
- 2
- 30
- 54
idontknowwhoiamgodhelpme
- 131
- 3
2 Answers
7
Salts aren't designed to protect against dictionary attacks. The salt is used to prevent a pre-image or a rainbow attack in which large amount of passwords are pre-computed, and can be looked up almost immediately rather than weeks or months later.
Putting a large amount of random data before the password makes this impossible.
In addition, the salt protects against the same password having the same hash value, and forces the attacker to compute a new hash for all passwords rather than use the same hash for all passwords.
Steve Sether
- 21,480
- 8
- 50
- 76
2
If I saw a salt not being stored as plaintext, it would lower my confidence in the security in the rest of the application. Why this is, is because it would signify to me that the developer in charge does not know the purpose and potentially the proper usage of a salt.
Encrypting a salt wouldn't hurt security, but keep in mind that knowledgable peers would become suspect of your understanding.
Andrew Hoffman
- 1,987
- 14
- 17