Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Password salts: prepending vs. appending

Tags:

security

password-protection

hash

salt

I just looked at the implementation of password hashing in Django and noticed that it prepends the salt, so the hash is created like sha1(salt + password), for example.

In my opinion, salts are good for two purposes

  1. Preventing rainbow table lookups

    Alright, prepending/appending the salt doesn't really make a difference for rainbow tables.

  2. Hardening against brute-force/dictionary attacks

    This is what my question is about. If someone wants to attack a single password from a stolen password database, he needs to try a lot of passwords (e.g. dictionary words or [A-Za-z0-9] permutations).

    Let's assume my password is "abcdef", the salt is "salt" and the attacker tries all [a-z]{6} passwords.

    With a prepended salt, one must calculate hash("salt"), store the hash algorithm's state and then go on from that point for each permutation. That is, going through all permutations would take 26^6 copy-hash-algorithm's-state-struct operations and 26^6 hash(permutation of [a-z]{6}) operations. As copying the hash algorithm's state is freakin fast, the salt hardly adds any complexity here, no matter how long it is.

    But, with an appended salt, the attacker must calculate hash(permutation of [a-z]{6} + salt) for each permutation, leading to 26^10 hash operations. So obviously, appending salts adds complexity depending on the salt length.

I don't believe this is for historical reasons because Django is rather new. So what's the sense in prepending salts?

like image 445
AndiDog Avatar asked Nov 13 '10 09:11

AndiDog

2 Answers

Do neither, use a standard Key derivation function like PBKDF2. Never roll your own crypto. It's much too easy to get it wrong. PBKDF2 uses many iterations to protect against bruteforce which is a much bigger improvement than the simple ordering.

And your trick pre-calculating the internal state of the hash-function after processing the salt probably isn't that easy to pull off unless the length of the salt corresponds to the block-length of the underlying block-cypher.

like image 140
CodesInChaos Avatar answered Nov 01 '22 22:11

CodesInChaos

If salt is prepended, attacker can make hash state database for salts (assuming salt is long enough to make a hashing step) and then run dictionary attack.

But if salt is appended, attacker can make such database for password dictionary and additionally compute only salt's hash. Given that salt is usually shorter than password (like 4 chars salt and 8 char password), it will be faster attack.

like image 31
blaze Avatar answered Nov 01 '22 21:11

blaze
Sign in to Comment

Related questions

Should 2FA secret codes be hashed for storage?
"Secure origin" other than HTTPS?
Running "partially trusted" .NET assemblies from a network share
What's best way to secure a database connection string?
Preventing the Osama Facebook worm [closed]
Dynamically running ClamAV's clamscan on file uploads with PHP
How to detect if an iframe is accessible without triggering an error?
Encrypting or scrubbing Rails log files
What is {${phpinfo()}} called? (Remote Command Execution related)
Securing WIFI for a web application
Objective C: Unable to fetch SecKeyRef from PEM private key
Erase keychain data if device is jail broken
USSD secure or not?
Does Java Web Start require that the Java browser plug-in is enabled?
Web application access user's file system
How to verify POST data is sent from Android app with correct SHA1 signature?
Is .textContent completely secure?
How to Digitally "Sign" a document
wcf net.tcp using SSL
Is the Rails default CSRF protection insecure?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!