Salts and Passwords - prefix or postfix

Question

This is a question about salting phrases that need to be hashed.

I was wondering if it more secure to prefix the salt to a phrase or postfix it? salt + phrase or phrase + salt

My question comes from this comment on this post on MD5s. I am not sure I understand the reasoning behind the author's comment.

Answer 1

Whether the salt is appended to the front or the back makes no difference.

The following factors will affect security though

1. Is your salt private (if so how private is it?). The more private the better. This means that if you can avoid storing your salt in your db you can make your system safe against brute force attacks even if your db is compromised.
2. Is your salt random per value salted? This helps defend against rainbow table attacks if say your db is compromised and your salt is stored in the db. Note: if passwords being stored are long enough they can be immune to brute force attacks.
3. Is your salt long enough? The longer your salt the more secure you are.

Answer 2

When someone has a question about the use of salts I fear it is because they are busy (re)inventing things they really shouldn't be in the first place. Based on the question my recommendation is to use an HMAC.