1

I may be wrong here but reading about salt I was wondering whether if we use the same salt for every password saved in our database won't users having same password would lead to same hash even after adding salt, hence diminishing the sole purpose of adding salt.

If it is true should we only use random salt to the databases?

And what should be an optimal salt length?

Could someone also explain how is the salt decided, whether it is a pre agreed data that is added only through the code or is it saved somewhere from where it is accessed again and again for each and every password.

Harshit Bhatt
  • 11
  • 3

2 Answers2

1

Yes, if you use the same salt then the same password will result in the same hash.

The general idea behind secure password storage lies in maximising the amount of computational work that an adversary will have to perform should they gain access to the stored credentials.

The purpose of a salt is to mitigate the value of pre-computed (i.e. no additional work as they already exist) hashes. In the case of salt-less storage an adversary can simply compare their list against your stored passwords. If you were to use the same salt then, although a new list of hashes would have to be produced, it would only have to be done once. Per-password salts require a new brute-force attack for each password.

You can store the salt with the hash as its predominant contribution to security lies in its uniqueness (and size) rather than its secrecy.

Here is a good resource, and I would suggest paying attention to the adaptive one-way functions that allow for key stretching:

https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

Arran Schlosberg
  • 904
  • 1
  • 7
  • 14
0

SALT supposed to be not secret => same for all users <=> no SALT at all.

You can see good explanation here: Hashing security

Nikolai
  • 146
  • 4