How does password salt increase security

StackOverflow https://stackoverflow.com/questions/19951065

  •  30-07-2022
  •  | 
  •  

Question

I'm trying to understand how a password salt increase security. Basically, for each user password a random string is generated, added to the password and then hashed. When the user logs on, the system fetch the salt for that specific user, adds it to the password, hash and compare to the stored hash value.

Now. I understand how this makes a much longer password/hash value. What I do not understand is what hinders an automated function to chose a username and just make a lot of login attempts on - for example - a web site, with different password each time. To me it would seem that the salt has no function in that scenario?

I feel quite certain that I have misunderstood this and would be glad if someone could help me understand.

Was it helpful?

Solution

What I do not understand is what hinders an automated function to chose a username and just make a lot of login attempts on - for example - a web site, with different password each time. To me it would seem that the salt has no function in that scenario?

Correct. Hashing and salting do not prevent against brute-force login attempts. (For that, you want to limit the number of login attempts per unit of time, or to ban after X-failed attempts).

Hashing and salting are used to prevent a stolen password list being cracked (or, to increase the amount of time needed to crack said list).

When storing passwords, you have 3 options: plain text, hashed, or hashed+salted. If I steal your password list:

  • Plain text: I now have the login details for all your users. I can impersonate them. (That's bad).
  • Hashed: I can use a rainbow table to determine the password from the hash reasonably quickly. (That's also bad).
  • Hashed + salted: Now the rainbow tables don't work. I have to spend considerably more time cracking each password. It's still possible, but it is a lot harder (and, unless you're actually important, I'm probably not going to bother). Note that this also gives you time to notice the security breech and inform your customers their passwords were stolen, and ask them to change it (so even when I eventually crack the hashed+salted list, I can't use it).

So: hashing + salting is used to prevent (or slow) attempts to crack a password from a stolen hash using brute force methods.

OTHER TIPS

Salts are used to reduce the threat of using Brute-Force-attacks on your hashes. If your passwords are "unsalted" one could easily use a dictionary of say 1 million hashes and run them against your database (dictionary attack). A Salt is a random sequence which is concatenated with your password just before generating the hash. Your database then saves the salt and the hash. If you choose the number of possible salts high enough brute-force-attacks are considerably harder to carry out because the attacker has to generate every possible salt in combination with his password-dictionary.

For example hashing algorithms like MD5 are no longer useful because there are databases with full discretionary hashed so if someone get access to ur hashed password (without salt). they can just search and find that word for the hash. if u add salt that becomes difficult to do. but that will only slow the hacker. if they get access to your code then salt wont help. But always add some salt its good.

Security of data in database

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top