0

I dont understand why the salt has to be randomly generated instead of just unique. For example, if you have a table with a user_id column (which is unique) couldnt you just tack that on to the password for the salt?

Jean-Bernard Pellerin is correct and this is a duplicate of https://stackoverflow.com/a/536756/516813 . I couldnt find that in the search and I am closing the question. FYI, that answer shows that the main requirement IS uniqueness.

Community
  • 1
  • 1
chacham15
  • 13,719
  • 26
  • 104
  • 207

2 Answers2

1

  1. User IDs are unlikely to be long enough to stop good rainbow tables

  2. The salt should change whenever the password changes.
    (to prevent attackers from knowing whether a user changed the password back to an earlier password)

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • 1. Why wouldnt it stop a good rainbow table (Now that there is additional data being tacked onto the password, any rainbow table against the result wont get you the original password (because of the extra addition))? 2. Does that matter when your algorithm is bcrypt (which produces different outputs for the same password)? – chacham15 Apr 29 '13 at 19:48
  • 1: The attacker knows what the user ID is, so he can remove that data. The point of salt is to make the plaintext long & random enough that the rainbow table won't crack it at all. – SLaks Apr 29 '13 at 21:33
  • 2: bcrypt generates its own random salt, and stores it in the hash, so your whole question doesn't apply. – SLaks Apr 29 '13 at 21:34
  • 1: What? How can he "remove that data"? A PRECOMPUTED table will not have the set of all user ids prepended to the possible passwords (the table would be huuuuuge!). 2: fair point. – chacham15 Apr 29 '13 at 21:37
  • @chacham15: 1: Not necessarily. Rainbow tables **are** huge; it is entirely possible that they will have common passwords with numbers appended to it. – SLaks Apr 30 '13 at 13:35
1

Yes, you could, but that would weaken the power of the salt. Good salts are long and difficult to guess. Good random numbers meet these criteria, which is why they are used.

Randall Cook
  • 6,728
  • 6
  • 33
  • 68
  • Why does the ability to guess the salt matter? The purpose of the salt is simply to stop a rainbow table attack (which is also accomplished with this). – chacham15 Apr 29 '13 at 19:47