1

Does it matter how I add a salt to a password in my application: by appending it or by prepending?

# 1
res = sha256(salt + password)

# 2
res2 = sha256(password + salt)

I've been told that the 2nd option is better.

Incerteza
  • 2,177
  • 3
  • 15
  • 22
  • 3
    Presumably if the hashing algorithm is worth it's salt (pun intended!), then it really shouldn't matter. Just be consistent, as the output will be different. – Jarrod Christman Jun 09 '17 at 17:01
  • You're very much in the wrong track, and should really read the top answers in ["How to securely hash passwords?"](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords) – Luis Casillas Jun 09 '17 at 18:03
  • it mattered more for MD5, doesn't matter at all for SHA3, and doesn't matter much with SHA2 – dandavis Jun 09 '17 at 18:20

1 Answers1

2

This scenario doesn't really apply to password storage, but more for trying to use a standard hash to validate user input.

The reason data+salt is better is because it makes it more difficult to perform a Length Extention Attack The assumption here is that the user does not control the salt, but does control the data. If the user can control the end of the input to a hash, he/she can control/predict what the hash will look like. This link can give you a better idea of how length extention attacks work

Also, don't ever use sha256 to hash passwords. Use some sort of Key Derivation Function, like BCrypt.

Dan Landberg
  • 3,312
  • 12
  • 17
  • 3
    `don't ever use sha256 to encrypt passwords.` -- 1) why? 2) it's not encrypting – Incerteza Jun 09 '17 at 17:38
  • 2
    SHA256 is too fast. An attacker who is cracking the hashes can attempt billions of hashes per second with non-KDR hash algorithms given some decent hardware. A KDR is designed to be much slower, as in thousands of guesses per second or lower This significantly increases the amount of time you have between a database being compromised and the passwords being discovered. It buys you more time to discover the breach, and reset your user's passwords. – Dan Landberg Jun 09 '17 at 17:49
  • 2
    Length extension is not a relevant concern for password hashing. A length extension attack here would allow the attacker to construct the correct hash for a salt/password combination that would not exist in the password database, and thus is useless. – Luis Casillas Jun 09 '17 at 18:01
  • That's a much cleaner explanation than I gave in the first line of my answer. I may steal it :) – Dan Landberg Jun 09 '17 at 18:06