Menu
My question is this:
Doesn't storing the salt as plaintext defeat the purpose of having a salt (which I've heard is fine to do)? I was of the impression that the salt is meant to be an additional variable providing added complexity for a brute-force or dictionary attack, by causing any attempt to convert the correct password to the key to fail unless thecorrect salt is supplied. It seems to me that if the salt is known, the attacker can try each password with the correct salt. If not, why?
Thanks in advance for taking the time to answer my questions.
214
The point of a salt is to prevent an attacker from reusing his dictionary for multiple ciphertexts.
There is nothing wrong with revealing the salt.
Instead, you should make sure that your salt is never re-used by a different ciphertext.
To do that, you should create salts using a secure random number generator.
56
Doesn't storing the salt as plaintext defeat the purpose of having a salt (which I've heard is fine to do)?
Why do you use salt? To store passwords securely you hash them. And you store a list of those Hashes. When you know the Hash it is incredibly hard to find the original password.
Suppose you are an attacker who has retreived a list of hashed passwords. You could take some geusses. You could try to hash some week passwords as: "password", "qwerty", ... And then search through the list of hashed passwords for a match. The chance you can guess a single password correctly is quite high.
Salt is a technique to prevent you from doing this. When you want to take a guess. e.g: take "qwerty". You should hash "qwerty" + salt. This will be different for every user. What makes it a lot harder to guess passwords.
Briefly: storing salt as plain text is perfectly secure.
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
