Menu
Okay, I know this is probably dead simple, but I can't seem to find a straight answer anywhere. Let's say I have the following:
Password: "mypassword"
Salt: 1234567
Is the idea of salting to do something like hash(password + salt) or hash(password) + salt? My guess is that only the former makes any sense at all, but I just want to make sure I'm not missing something.
Please forgive my ignorance.
260
Recap. A cryptographic salt is made up of random bits added to each password instance before its hashing. Salts create unique passwords even in the instance of two users choosing the same passwords.
Using ten different salts increases the security of hashed passwords by increasing the computational power required to generate lookup tables by a factor of ten. If the salt is stored separately from a password, it also makes it challenging for an attacker to reverse engineer a password.
Salting is one such protection. A new salt is randomly generated for each password. Typically, the salt and the password (or its version after key stretching) are concatenated and fed to a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database.
Hashing is a one-way process that converts a password to ciphertext using hash algorithms. A hashed password cannot be decrypted, but a hacker can try to reverse engineer it. Password salting adds random characters before or after a password prior to hashing to obfuscate the actual password.
You've got it, it's the former.
If you just concatenated the salt and the hash, then an attacker can simply remove the "salt" and use a rainbow table. By hashing the plaintext + salt, the salt cannot be factored out.
58
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
