Menu
I've have read that a salt that is going to be used should have the same length as the hashed password, what is the reasoning behind this? Will it increase password protection? I have read it Here:
To make it impossible for an attacker to create a lookup table for every possible salt, the salt must be long. A good rule of thumb is to use a salt that is the same size as the output of the hash function. For example, the output of SHA256 is 256 bits (32 bytes), so the salt should be at least 32 random bytes.
500
Here is a good description of why password salts are needed.
No, you don't need your salt to be the same length as the password. In fact, none of the implementations listed in the article do that. Generally for each added bit of salt you're requiring an attacker to double his storage budget.
So having a 10 byte salt should be sufficient for today's level of technology. Also note that the salt is binary value whereas passwords are not, so the salt length should be measured in bits/bytes and not characters.
101
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
