The necessity of hiding the salt for a hash

by

Hiding a salt is unnecessary.

A different salt should be used for every hash. In practice, this is easy to achieve by getting 8 or more bytes from cryptographic quality random number generator.

From a previous answer of mine:

Salt helps to thwart pre-computed dictionary attacks.

Suppose an attacker has a list of likely passwords. He can hash each
and compare it to the hash of his victim’s password, and see if it
matches. If the list is large, this could take a long time. He doesn’t
want spend that much time on his next target, so he records the result
in a “dictionary” where a hash points to its corresponding input. If
the list of passwords is very, very long, he can use techniques like a
Rainbow Table to save some space.

However, suppose his next target salted their password. Even if the
attacker knows what the salt is, his precomputed table is
worthless—the salt changes the hash resulting from each password. He
has to re-hash all of the passwords in his list, affixing the target’s
salt to the input. Every different salt requires a different
dictionary, and if enough salts are used, the attacker won’t have room
to store dictionaries for them all. Trading space to save time is no
longer an option; the attacker must fall back to hashing each password
in his list for each target he wants to attack.

So, it’s not necessary to keep the salt secret. Ensuring that the
attacker doesn’t have a pre-computed dictionary corresponding to that
particular salt is sufficient.

After thinking about this a bit more, I’ve realized that fooling yourself into thinking the salt can be hidden is dangerous. It’s much better to assume the salt cannot be hidden, and design the system to be safe in spite of that. I provide a more detailed explanation in another answer.

However, recent recommendations from NIST encourage the use of an additional, secret “salt” (I’ve seen others call this additional secret “pepper”). One additional iteration of the key derivation can be performed using this secret as a salt. Rather than increasing strength against a pre-computed lookup attack, this round protects against password guessing, much like the large number of iterations in a good key derivation function. This secret serves no purpose if stored with the hashed password; it must be managed as a secret, and that could be difficult in a large user database.

More Related Contents:

  1. Fundamental difference between Hashing and Encryption algorithms
  2. Difference between Hashing a Password and Encrypting it
  3. SHA512 vs. Blowfish and Bcrypt [closed]
  4. Password hashing, salt and storage of hashed values
  5. What algorithm should I use to hash passwords into my database? [duplicate]
  6. Salt Generation and open source software
  7. Is “double hashing” a password less secure than just hashing it once?
  8. How can bcrypt have built-in salts?
  9. Non-random salt for password hashes
  10. Why is security through obscurity a bad idea? [closed]
  11. Encrypting/Hashing plain text passwords in database [closed]
  12. Are HTTPS headers encrypted?
  13. Where do you store your salt strings?
  14. Why is using a Non-Random IV with CBC Mode a vulnerability?
  15. Best Practices: Salting & peppering passwords?
  16. What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?
  17. Differences Between Rijndael and AES
  18. Preventing Brute Force Logins on Websites
  19. Why do salts make dictionary attacks ‘impossible’?
  20. md5 decoding. How they do it?
  21. What is the best Distributed Brute Force countermeasure? [closed]
  22. How do I generate a SALT in Java for Salted-Hash?
  23. Is it worth encrypting email addresses in the database?
  24. Why not use MD5 for password hashing?
  25. Should I impose a maximum length on passwords?
  26. MD5 security is fine? [closed]
  27. How can I hash passwords in postgresql?
  28. How to send password securely via HTTP using Javascript in absence of HTTPS?
  29. What’s wrong with XOR encryption?
  30. Do I need a “random salt” once per password or only once per database?

Leave a Comment