I have seen so many articles which they write that the salt is stored together with the hashed password in the database. However, there's one thing that is bugging me. Since the plain text salt is stored in the database, and the hacker has access to the database, and provided he guessed one of the password correctly, let's say "qwerty" + salt1, how does it prevent other similar password to not be cracked? The hacker just has to take the same word "qwerty" + the other salt value in the database, like salt2, salt3 etc and if there's another person using the password "qwerty", it would still be found out in an instance isn't it?
Asked
Active
Viewed 64 times
0
-
3Does this answer your question? [How to store salt?](https://security.stackexchange.com/questions/17421/how-to-store-salt) – Infra Mar 19 '21 at 07:35
-
1Salting does not prevent that situation. Where you expecting it to? – schroeder Mar 19 '21 at 07:43
-
I'm still not quite get it, is it that the purpose is to let the hacker unable to use rainbow table , and even if he attacked into the database , he still need to use some time to get one of the password instance , and before that , the server could detect it and has enough time to do some action? Otherwise if there is no action against it, the hacker can still do what I said right? – Newbie Mar 19 '21 at 07:44
-
3Salting means that the attacker cannot pre-calculate the hashes. That part is right. The attacker basically has to start cracking each password hash individually once the hashes and salts are acquired. And if there are users with the same password, that will not be obvious to the attacker. Attackers are still free to try the top 100 passwords against every hash & salt. Nothing prevents that. And doing that might make things faster for the attacker. Your point about "the server could detect it" is strange. The server "Detects" attacks on the database itself, not the passwords in this situation. – schroeder Mar 19 '21 at 08:17