Does it make sense to store the salt of a password with the hash itself?

Question

Does it make sense to store the salt of a password with the hash itself?

Asked 6 years, 11 months ago

Viewed 251 times

5

Looking at tables in a database of a certain product, I came across a structure similar to this:

[LocalUsers]
UserId           Integer
PasswordHash     Byte[]
Salt             Byte[]

If an intruder gets this list, it’s enough for him to apply discovery techniques, just like hashes clean (without salt)?

Support question: How to hash passwords securely?

1 answer

Browser other questions tagged database security-guard cryptography hash salt

You are not signed in. Login or sign up in order to post.

by Maniero • **444,682** points · Answer 1 · 2017-08-04T20:54:52+00:00

No problem at all. The function of "salt" exists to avoid collisions of equal passwords or hashes the same result. Its function is not to establish a secret, it is only to avoid discovering a password by coincidence.

As shown in the question linked and others on the subject it is important that it be random and sufficient to avoid duplication of interpretation.

The strength of hash should be sufficient in the event of the password database compromise, do not give such responsibility to the salt.

Strength is a general thing, it’s the difficulty of breaking it. For example, there is a new one that is safer than the existing ones when that question was answered: https://github.com/P-H-C/phc-winner-argon2. Having invasion the salt influences nothing, so do not need to protect it, it serves to combat other types of attacks, not to prevent an hacked server steal passwords, in this case the hash should be the best possible, that’s what’s in the answer.

If you don’t put it there, where will you put it? In another table? It’s the same for security. In another database? Changes nothing. On another server? Then it helps only a little, but it creates a complication for the software.