Page 1 of 1

Question about Salts

Posted: Sun Jun 29, 2008 6:46 pm
by Kivork
Hi, I'm new to php abd was reading about salts and hashes.

As I understand it, the reason for a salt is to make it harder for someone to crack a hashed password in the event they manage to steal that hash. But if you store the salt in a database as well, then couldn't the person who stole the password simply steal the salt also, and then what would be the point of it.

This is probably a really stupid question, I think I'm missing something that is preventing me from understanding it.

Any help would be apreciated.

Re: Question about Salts

Posted: Sun Jun 29, 2008 7:04 pm
by Eran
The point is that each password has a unique salt making it impossible to attack all the password in a table at the same time, and also to foil dictionary attacks by adding a non-dictionary word to the hashing process. An attacker would have to break each password individually, since they are hashed differently - two identical passwords will have two different hashes and so forth.

Re: Question about Salts

Posted: Mon Jun 30, 2008 1:44 am
by Mordred
Additionally, if you use TWO salts (aka "salt and pepper"), one in the database (unique per user) and one hardcoded in the source you would make it greatly harder (nearly "impossible") to crack ANY password. I've explained the details in a paper (still in "draft" stage) here: viewtopic.php?t=62782