Trying to understand salting and hashing passwords in Ruby on Rails

Question

I'm walking through Michael Hartl's book (awesome, free resource, btw, thanks Michael!) and I have a question about salting and hashing passwords. The point of salting a password is to prevent a hacker from performing a rainbow attack, which if I understand correctly is basically a brute force attack if the hacker can guess the type of encryption used. To prevent this kind of attack, a salt is used to randomize the password before it's encrypted, but that salt has to be stored along with the encrypted password? If so, then if a hacker can access the database and retrieve the encrypted password, then can't they also retrieve the salt and proceed with their rainbow attack?

Here's Michael's code example of the process...

>> Time.now.utc
=> Fri Jan 29 18:11:27 UTC 2010
>> password = "secret"
=> "secret"
>> salt = secure_hash("#{Time.now.utc}--#{password}")
=> "d1a3eb8c9aab32ec19cfda810d2ab351873b5dca4e16e7f57b3c1932113314c8"
>> encrypted_password = secure_hash("#{salt}--#{password}")
=> "69a98a49b7fd103058639be84fb88c19c998c8ad3639cfc5deb458018561c847"

Thanks so much!

Answer 1

No, a rainbow attack is not the same as a brute-force attack.

You can think of a rainbow table as a big database of strings and their hashes. When someone gets access to your database, they can compare the passwordhash to the ones in the rainbow table and get the password easily.

A salt prevents this by adding extra bits to the password. If the salt is long enough, the hash won't be in the rainbow table.

When using a brute-force attack, you have to calculate the hashes, while with rainbow attacks, you have the hashes already.

So yes, when someone gets access to your database, they can also get your salt. But that doesn't matter if it's a unique one per record.