Ok, so I've been reading (a lot!) about security and the whole deal about hashing, salting, encrypting, etc. and something I keep seeing is really bugging me. It seems a lot of people that really seem to know their stuff keeps saying it's OK to store the salt with the hashed password in the DB.
I can't help but to wonder, why? What if your DB is dumped? They have access to everything which, to me, means they can look at any one record and voila(!) there's the hashed password and the plain text salt right next to it. That gives them the info they need to run it against rainbow tables and/or dictionary attacks doesn't it?
I must be missing something (yeah, that's never happened before!!) and would really enjoy some enlightenment on the matter.
Assuming the salt is very long, not knowing the salt would make it nearly impossible to decrypt hash password with salt(due to the additional length that the salt adds to the password), but you still have to brute force even if you do know the salt.
Hacking a hashed password Hashed passwords are a great way to fight off potential hackers, but it doesn't make it impossible for them to gain access. If a system uses a properly designed algorithm to create a hashed password, chances of hacking are extremely low.
Hashed passwords that use salts are what most modern authentication systems use. It does not make a password uncrackable but it does slow down the cracking process because it forces a hacker to hash every password that they want to guess.
The problem is that the hashes still have to be stored, and anything that is stored can be stolen. Hackers could get the password hashes from the server they are stored on in a number of ways. These include through disgruntled employees, SQL injections and a range of other attacks.
Rainbow tables are ineffective against a collection of differently-salted passwords, even if the salt is known; you would have to build a different table for each salt, and that defeats the entire purpose of rainbow tables. It will be faster for an attacker to brute-force each password individually. This is the purpose of having per-user salt.
In other words, rainbow tables are only effective when you are trying to break many passwords that were all digested the same way, using the same digest algorithm. Throwing in different salt for each password means that the passwords are not all digested the same way.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With