IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [salt]

A salt is a random addition to a password to make the hashed password less susceptible to a lookup table attack

In cryptography, a salt consists of random bits, creating one of the inputs to a one-way hashing function. The other input is usually a password or passphrase. This salt can be stored with the hashed password.

The benefit provided by using a salted password is making a lookup table assisted dictionary attack against the stored values impractical, provided the salt is large enough.

365 questions
599
votes
7 answers

How to store salt?

If you expect to store user password securely, you need to do at least the following: $pwd=hash(hash($password) + salt) Then, you store $pwd in your system instead of the real password. I have seen some cases where $pwd contains the salt itself. I…
George
  • 6,177
  • 3
  • 14
  • 10
265
votes
7 answers

Password Hashing: add salt + pepper or is salt enough?

Please Note: I'm aware that the proper method for secure password storage hashing is either scrypt or bcrypt. This question isn't for implementation in actual software, it's for my own understanding. Related How to apply a pepper correctly to…
Jacco
  • 7,402
  • 4
  • 32
  • 53
256
votes
8 answers

Why are salted hashes more secure for password storage?

I know there are many discussions on salted hashes, and I understand that the purpose is to make it impossible to build a rainbow table of all possible hashes (generally up to 7 characters). My understanding is that the random salted values are…
Tsyras
  • 2,631
  • 3
  • 11
  • 7
92
votes
9 answers

Does anybody not store salts?

We talked about password hashing and salting in class today. Our professor had a very different understanding of the use case of salts from mine and said that you might not store the salt at all and just check every login attempt with all possible…
jazzpi
  • 1,039
  • 1
  • 8
  • 6
80
votes
3 answers

How can I create a password that says "SALT ME!" when hashed?

How can I create a password, which when directly hashed (without any salt) with md5 will return a string containing the 8 characters "SALT ME!". The hope is that a naive developer browsing through his user database will see the "hash", realize the…
Joel
  • 1,069
  • 1
  • 8
  • 7
78
votes
8 answers

Convincing my manager to use salts

My manager says we don't need to salt our passwords because people are not likely to use the same password because they all have different native languages, in addition to the websites they are active at. What is the best counter argument to this?
user46866
  • 881
  • 6
  • 4
66
votes
7 answers

Is it safe/wise to store a salt in the same field as the hashed password?

In using Argon2 for hashing passwords in my application, I've noticed it generates a string like this (e.g. for password "rabbit"): $argon2i$v=19$m=65536,t=3,p=1$YOtX2//7NoD/owm8RZ8llw==$fPn4sPgkFAuBJo3M3UzcGss3dJysxLJdPdvojRF20ZE= My understanding…
PenumbraBrah
  • 771
  • 1
  • 5
  • 6
59
votes
2 answers

How Does A Random Salt Work?

I don't understand how using a random salt for hashing passwords can work. Perhaps random salt refers to something other than hashing passwords? Here is my thought process: The salt is used to add extra junk to the end of a password prior to…
Kevin DiTraglia
  • 771
  • 1
  • 6
  • 8
55
votes
3 answers

Secret salts; why do they slow down attacker more than they do me?

When studying Dan Boneh's slides for 'Session Management and User Authentication' (2011) he mentions 'secret salts' on the slide 'Further defences' (slide 48 out of 58). He suggest to store in the datbase: Alice|SA|H(pwA , SA , rA) In which Alice…
harm
  • 593
  • 1
  • 5
  • 7
53
votes
4 answers

Why is using salt more secure?

Storing the hash of users' passwords, e.g. in a database, is insecure since human passwords are vulnerable to dictionary attacks. Everyone suggests that this is mitigated via the use of salts, but the salt is considered non-sensitive and does not…
Jim
  • 1,395
  • 4
  • 13
  • 18
47
votes
6 answers

"Real" Salt and "Fake" Salt

During a Q&A period at DEFCON this year, one member of the audience mentioned that we're using "fake salt" when concatenating a random value and a password before hashing. He defined "real salt" as something seen in the original Unix crypt…
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
45
votes
4 answers

What should be used as a salt?

I always hear that it is best to use salts on top of stored passwords, which then somehow gets concatenated and hashed afterwards. But I don't know what to use as a the salt. What would be a good salt?
Sal Rahman
  • 621
  • 1
  • 5
  • 14
43
votes
9 answers

Is salting a hash really as secure as common knowledge implies?

I'm implementing a salt function for user passwords on my web page, and I'm wondering about some things. A salt is an extension added to a password and then hashed, meaning the password is stored in the database as hash(password+salt). But where…
Thomas Andreè Wang
  • 557
  • 1
  • 4
  • 8
43
votes
12 answers

Is there any real value in hashing/salting passwords?

I look after a system which holds a lot of "low grade" information, nothing financial but name/address/email etc. Someone has suggested that we up the security from the current in house password encryption algorithm to use ICO recommended…
Steve
  • 487
  • 1
  • 5
  • 8
41
votes
3 answers

Is it safe to check password against the HIBP Pwned Passwords API during account registration?

User registers account on a web app. Passwords are salted and hashed. But is it safe to check the password against the HIBP Pwned Passwords API, before salting and hashing it? Of course the app uses TLS. So if the password is found on any breach -…
Bitenieks
  • 533
  • 1
  • 4
  • 5
1
2 3
24 25