Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the purpose of the "salt" when hashing?

Tags:

hash

saltedhash

Ok, I’m trying to understand the reason to use salt.

When a user registers I generate a unique salt for him/her that I store in DB. Then I hash it and the password with SHA1. And when he/she is logging in I re-hash it with sha1($salt.$password).

But if someone hacks my database he can see the hashed password AND the salt.

Is that harder to crack than just hashing the password with out salt? I don’t understand …

Sorry if I’m stupid …

like image 516
Krzysztof Avatar asked Dec 10 '09 22:12

Krzysztof

People also ask

What is the purpose of adding a salt to the hashing process of a password?

Salt is a cryptographically secure random string that is added to a password before it's hashed, and the salt should be stored with the hash, making it difficult for an attacker to know the original plaintext without having access to both sources.

Why do we use salt in cryptography?

In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes data, a password or passphrase. Salts are used to safeguard passwords in storage.

What is salting and why is it used?

Salting is simply the addition of a unique, random string of characters known only to the site to each password before it is hashed, typically this “salt” is placed in front of each password. The salt value needs to be stored by the site, which means sometimes sites use the same salt for every password.

2 Answers

If you don't use a salt then an attacker can precompute a password<->hash database offline even before they've broken into your server. Adding a salt massively increases the size of that database, making it harder to perform such an attack.

Also, once they've broken in they can guess a commonly used password, hash it, and then check all of the passwords in the database for a match. With a different salt for each user, they can only attack one password at a time.

There's an article at Wikipedia about salts in cryptography.

like image 88
Mark Byers Avatar answered Sep 20 '22 12:09

Mark Byers

Another intention behind the use of a salt is to make sure two users with the same password won't end up having the same hash in the users table (assuming their salt are not the same). However, the combination of a salt and a password may lead to the same "string" or hash in the end and the hash will be exactly the same, so make sure to use a combination of salt and password where two different combination won't lead to the same hash.

like image 21
Percutio Avatar answered Sep 17 '22 12:09

Percutio
Sign in to Comment

Related questions

How can i generate a long hash of a String?
How do I pretty print a hash to a Rails view?
md5 hashing using password as salt?
Why does PHP crypt() prepend the salt to the hash?
Remove keys in hash not in array
Python unhash value
Why would I return a hash or a hash reference in Perl?
Do similar passwords have similar hashes?
How to get CRC64 distributed calculation (use its linearity property)?
File Hashing using AngularJS
Techniques for implementing -hash on mutable Cocoa objects
Java - PBKDF2 with HMACSHA256 as the PRF
Untainting a blessed hash member with or without the delete
Hashing composite objects
understanding method comment for hash() method of HashMap class in java 8
Hash keys encoding: Why do I get here with Devel::Peek::Dump two different results?
Why is "hash('md5', 'string')" faster than "md5('string')"? [closed]
Is there a standard for using PBKDF2 as a password hash?
How to hash a range of numbers to a single position in the hash table
Bloom filters and its multiple hash functions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!