0

Is there really a point in salting a password?

if a program does all the processing of a SALT server side then does it really make it any more difficult for brute force or other attack. The code is only going to apply the salt to whatever is entered by a user.

Do I have this all wrong?

g r
  • 65
  • 1
  • 9
  • 1
    possible duplicate of [How does password salt help against a rainbow table attack?](http://stackoverflow.com/questions/420843/how-does-password-salt-help-against-a-rainbow-table-attack) – Hexaholic May 08 '15 at 07:43

4 Answers4

1

Yes, there is a point in salting a password.

The point is that each password has its own salt, so that an attacker can't make use of dictionaries and rainbow tables to brute force all passwords at once.

The salt doesn't make it harder to crack a single password¹, but it removes the benefit from attempting to crack multiple passwords at once. An attacker has to brute force one password at a time.

¹ At least not enough to be a good reason to use it. Using better passwords works much better.

Guffa
  • 687,336
  • 108
  • 737
  • 1,005
0

In a word, yes.

Salting a password adds a level of complexity to the string and confuses humans, and makes dictionary attacks less likely to succeed.

Brute force can still crack this password however, hence the need for a randomly generated salt.

Salts are typically generated via byte-arrays, which is then fed into a function to combine the two strings into one at intervals. See my answer here.

Community
  • 1
  • 1
Michael Wiggins
  • 112
  • 13
0

The hashes may be leaked without the salt (common scenario: database gets dumped, but a salt i present in PHP source that does not leak).

BobbyTables
  • 4,481
  • 1
  • 31
  • 39
  • 2
    Using the same salt for all passwords defeats the purpose. – Guffa May 08 '15 at 07:50
  • no it does not, if the salt is not known a bruteforce attack will be more difficult on the hashes – BobbyTables May 08 '15 at 07:53
  • 2
    I agree with @Guffa, the best practice would be to randomly generate a new salt string each time a user is created. – Michael Wiggins May 08 '15 at 07:56
  • 1
    @MichaelWiggins yes, that is best practice, thats not the discussion. Im explaining a common scenario. An unknow salt makes it harder – BobbyTables May 08 '15 at 07:58
  • It's a fair point. I typically feed my passwords through several hash functions in a single user creation, purely to sate my paranoia where it comes to security, where the final stage includes a salt, which is stored in the database. Since I use prepared statements everywhere, the chance of the salt being public causing an issue drops. – Michael Wiggins May 08 '15 at 08:01
  • 1
    @zedd: Yes, using the same salt for all passwords *does* defeat the purpose. The whole point of salting the passwords is that each password has a different salt. If you don't use the salt properly, then there is no point in using it at all. – Guffa May 08 '15 at 08:02
  • @Guffa absolutely not. I can provide you with a hash that was salted and one that was not and see wich one you crack first? – BobbyTables May 08 '15 at 08:09
  • @zedd: You are missing the point of salting. http://en.wikipedia.org/wiki/Salt_%28cryptography%29 – Guffa May 08 '15 at 08:54
  • @guffa im perfectly aware of the point of salting, best practices and how data breaches look in the real world. You however does not seem to realize that a hash i more diffictult to crack if its salted, given that the salt is unknown. Are you stating that its equally fast/difficult? – BobbyTables May 08 '15 at 09:00
  • @zedd: You are still missing the point. That's not the main reason for using salts. If you misuse it, you only get the minor additional effects, not the main reason. – Guffa May 08 '15 at 09:50
  • @Guffa The point of salting is to make it harder to crack the hash. And you numerous times state that it does not make it harder to crack - this is obvious incorrect information (and very basic). Im not saying that its good practice to use a "common" salt, im saying that it exists in the real world, and that it DOES make it harder to crack DB-dumps – BobbyTables May 08 '15 at 10:14
  • @zedd: That's not the main point of salting. Please read up on why salting is used. I provided a link above where you can start. – Guffa May 08 '15 at 10:34
  • @Guffa The poing of salting isnt to make it harder to crack? Then youve missed some basic cryptography concepts – BobbyTables May 08 '15 at 10:40
  • @zedd: Exactly, that's not the main point of salting. It obviously doesn't matter what I tray to say to you. That's why I repeatedly tell you to go and read what others have said about salting. – Guffa May 08 '15 at 10:52
  • @Guffa If you dont think the purpose of salting is to make it harder to crack theres not much we can do here – BobbyTables May 08 '15 at 11:02
  • @zedd: Exactly. If you don't get the point that I explain, there is nothing more that I can do. I can explain it to you, but I can't understand it for you. – Guffa May 08 '15 at 11:16
  • @zedd - Sorry to extens this discussion, a salt does not make it more difficult to brute-force a **single** password, but it does make it harder to brute-force **multiple** passwords. Todays hash functions will include the salt plaintext into the hash-value, so if an attacker knows the hash, he also knows the salt and therefore can use this salt to brute-force the password. – martinstoeckli May 08 '15 at 13:09
  • @martinstoeckli if the salt is not known it increases the difficulty to crack the hash by magnitudes (the scenario described). I can provide you with two hashes (a salted and one without) and you tell me what one you bruteforce quickest (if at all). – BobbyTables May 08 '15 at 14:38
  • @zedd - Yes, but it is not the job of the salt to be secret. To add a secret there are better ways, add a pepper or use a server-side key to encrypt the hash. Let the salt do its job, but do not mix it with other purposes. You can find an example of such a scenario at the end of my tutorial about [secure password storing](http://www.martinstoeckli.ch/hash/en/index.php). – martinstoeckli May 08 '15 at 14:47
0

You are right in a way but ... the most significant protection from SALT is that if the hashes ever do get released into the wild then reverse hash lookups are much much harder.

Hash a word and then put the hash result into your favourite search engine to see what I mean.

Barry Keepence
  • 136
  • 5