Does it make sense to store the salt of a password with the hash itself?

Asked

Viewed 251 times

5

Looking at tables in a database of a certain product, I came across a structure similar to this:

[LocalUsers]
UserId           Integer
PasswordHash     Byte[]
Salt             Byte[]

If an intruder gets this list, it’s enough for him to apply discovery techniques, just like hashes clean (without salt)?

Support question: How to hash passwords securely?

1 answer

5


No problem at all. The function of "salt" exists to avoid collisions of equal passwords or hashes the same result. Its function is not to establish a secret, it is only to avoid discovering a password by coincidence.

As shown in the question linked and others on the subject it is important that it be random and sufficient to avoid duplication of interpretation.

The strength of hash should be sufficient in the event of the password database compromise, do not give such responsibility to the salt.

Strength is a general thing, it’s the difficulty of breaking it. For example, there is a new one that is safer than the existing ones when that question was answered: https://github.com/P-H-C/phc-winner-argon2. Having invasion the salt influences nothing, so do not need to protect it, it serves to combat other types of attacks, not to prevent an hacked server steal passwords, in this case the hash should be the best possible, that’s what’s in the answer.

If you don’t put it there, where will you put it? In another table? It’s the same for security. In another database? Changes nothing. On another server? Then it helps only a little, but it creates a complication for the software.

  • You quoted força do hash. What exactly would that be? Number of iterations? Put another way: There being a hash and salt invader of a given password, which still makes this hash stronger than a simple hash without salt?

  • Strength is a general thing, it’s the difficulty of breaking it. For example, there is a new one that is safer than the existing ones when that question was answered: https://github.com/P-H-C/phc-winner-argon2. If the salt does not influence anything, so need not protect it, it serves to combat other types of attacks, not to prevent an hacked server steal passwords, for this case the hash should be the best possible, that’s what’s in the answer.

  • "...it serves to combat other types of attacks". Beauty, that I wanted to know. Thank you

Browser other questions tagged

You are not signed in. Login or sign up in order to post.