IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [salt]

A salt is a random addition to a password to make the hashed password less susceptible to a lookup table attack

In cryptography, a salt consists of random bits, creating one of the inputs to a one-way hashing function. The other input is usually a password or passphrase. This salt can be stored with the hashed password.

The benefit provided by using a salted password is making a lookup table assisted dictionary attack against the stored values impractical, provided the salt is large enough.

365 questions
40
votes
9 answers

Why don't people hash and salt usernames before storing them

Everyone knows that if they have a system that requires a password to log in, they should be storing a hashed & salted copy of the required password, rather than the password in plaintext. What I started to wonder today is why the don't they also…
Grezzo
  • 632
  • 1
  • 6
  • 12
40
votes
1 answer

How does the attacker know what algorithm and salt to use in a dictionary attack?

I am curious about password cracking methods like dictionary and brute force attacks. Nowadays passwords are stored as hashes and not plaintext on the server. Then how can the plaintext passwords in the dictionary be compared with the hashes in the…
andjava
  • 578
  • 1
  • 5
  • 7
39
votes
8 answers

Find matching phone numbers without actually knowing them

We have a mobile app that, given two users, needs to let them see what common contacts they have based on their phone numbers. How can we do this in a cryptographically secure way and respecting the users' privacy (i.e. without sharing the numbers…
liviucmg
  • 493
  • 4
  • 6
35
votes
8 answers

Why would salt not have prevented LinkedIn passwords from getting cracked?

In this interview posted on Krebs on Security, this question was asked and answered: BK: I’ve heard people say, you know this probably would not have happened if LinkedIn and others had salted the passwords — or added some randomness to each of…
pepsi
  • 485
  • 4
  • 7
34
votes
7 answers

How can crackers reconstruct 200k salted password hashes so fast?

I'm researching for a small talk about websecurity and I found one article about the formspring hack, which made me curious. They claim to have used SHA-256 + salt We were able to immediately fix the hole and upgraded our hashing mechanisms from…
Patrick Cornelissen
  • 443
  • 1
  • 4
  • 8
32
votes
2 answers

How big should salt be?

I will be using scrypt to store passwords in my application. As such, I'll be using SHA-256 and Salsa20 crypto primitives (with PBKDF2). Having that in mind, how big salt should I use? Should it be equal to the size of SHA-256 output: 256bits or…
Hubert Kario
  • 3,708
  • 3
  • 27
  • 34
30
votes
9 answers

Is there a way to add salted hashing to my user authentication without breaking my former login server

I am presented with the following scenario: I have a MySQL-Database with a table of users. The table has two fields: username and password. The password is stored as an unsalted hash. An over 15 year old application uses this database to…
Ben
  • 403
  • 4
  • 10
30
votes
3 answers

With PBKDF2, what is an optimal Hash size in bytes? What about the size of the salt?

When creating a hash with PBKDF2, it allows the developer to choose the size of the hash. Is longer always better? Also, what about the size of the random salt? Should that be the same size as the hash? EDIT: Particularly in hashing passwords.
blesh
  • 485
  • 1
  • 4
  • 9
27
votes
5 answers

What are the differences between an encryption seed and salt?

Today I had a hard time explaining the difference to a friend. I know seeds are used when generating "random" strings. And salts are used when providing different outcomes to a hash. What is a better way of describing these concepts and their…
Gabriel Fair
  • 1,495
  • 2
  • 13
  • 23
27
votes
5 answers

In hashing, does it matter how random a salt is?

I recently had a comment made to me in an online discussion after I'd stated that randomness in a salt doesn't matter -- and I got the following response: Salts may not have to be "secure," but the method of generation can matter. Using a…
erik
  • 271
  • 3
  • 3
26
votes
6 answers

Do salts have to be random, or just unique and unknown?

First of all, my motive is to avoid storing the salt in the database as plain text. As far as this question is concerned, the salt is not stored in the database. After discussion in comments and in chat, I've come up with a theory: It appears that…
user26547
26
votes
1 answer

bcrypt no need to store salt?

I'm confused with bcrypt, I would think I would need to store my salt, and then compare my plain text password + salt to the hashed password, however from documentation it does not look like storing the salt is necessary at all. Indeed I used this…
edencorbin
  • 363
  • 1
  • 3
  • 7
25
votes
5 answers

Does too long a salt reduce the security of a stored password hash?

Suppose we have passwords that are statistically 7-8 characters long. Is appending a 200 character long salt less secure than a 5 character salt, because of the similar hash function inputs? I was wondering: what if someone tries to guess the salt…
Piotr Müller
  • 411
  • 5
  • 6
24
votes
5 answers

When hashing passwords, is it ok to use the hashed password as the salt?

I don't like this idea. But I can not come up with a technical argument against it. Can somebody explain it to me? The basic idea is: $passwd = 'foo'; $salt = hash($passwd); $finalHash = hash($passwd . $salt); The $finalHash is what would be stored…
joe user
  • 243
  • 2
  • 4
24
votes
6 answers

Does prepending a salt to the password instead of inserting it in the middle decrease security?

I read somewhere that adding a salt at the beginning of a password before hashing it is a bad idea. Instead, the article claimed it is much more secure to insert it somewhere in the middle of the password. I don't remember where I found this, and I…
Arseni Mourzenko
  • 4,644
  • 6
  • 20
  • 30
1
2
3
24 25