Password hashing, salt and storage of hashed values

by

The salt just needs to be random and unique. It can be freely known as it doesn’t help an attacker. Many systems will store the plain text salt in the database in the column right next to the hashed password.

The salt helps to ensure that if two people (User A and User B) happen to share the same password it isn’t obvious. Without the random and unique salt for each password the hash values would be the same and obviously if the password for User A is cracked then User B must have the same password.

It also helps protect from attacks where a dictionary of hashes can be matched against known passwords. e.g. rainbow tables.

Also using an algorithm with a “work factor” built in also means that as computational power increases the work an algorithm has to go through to create the hash can also be increased. For example, bcrypt. This means that the economics of brute force attacks become untenable. Presumably it becomes much more difficult to create tables of known hashes because they take longer to create; the variations in “work factor” will mean more tables would have to be built.

More Related Contents:

  1. Fundamental difference between Hashing and Encryption algorithms
  2. Difference between Hashing a Password and Encrypting it
  3. Salt Generation and open source software
  4. SHA512 vs. Blowfish and Bcrypt [closed]
  5. The necessity of hiding the salt for a hash
  6. Where do you store your salt strings?
  7. What algorithm should I use to hash passwords into my database? [duplicate]
  8. Best Practices: Salting & peppering passwords?
  9. Why do salts make dictionary attacks ‘impossible’?
  10. How do I generate a SALT in Java for Salted-Hash?
  11. How can I hash passwords in postgresql?
  12. Do I need a “random salt” once per password or only once per database?
  13. Is “double hashing” a password less secure than just hashing it once?
  14. How can bcrypt have built-in salts?
  15. Non-random salt for password hashes
  16. Why is security through obscurity a bad idea? [closed]
  17. Encrypting/Hashing plain text passwords in database [closed]
  18. Are HTTPS headers encrypted?
  19. What is the optimal length for user password salt? [closed]
  20. Why is using a Non-Random IV with CBC Mode a vulnerability?
  21. What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?
  22. Differences Between Rijndael and AES
  23. md5 decoding. How they do it?
  24. Is it worth encrypting email addresses in the database?
  25. Why not use MD5 for password hashing?
  26. Should I impose a maximum length on passwords?
  27. MD5 security is fine? [closed]
  28. How to send password securely via HTTP using Javascript in absence of HTTPS?
  29. What’s wrong with XOR encryption?
  30. What is the clash rate for md5? [closed]

Leave a Comment