Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Unique salts have to be stored somewhere. A common practice is to just use another piece of information associated with their account. The purpose of a salt is to make various bruteforcing attacks difficult. It doesn't do much if someone has full access to a system.


> Unique salts have to be stored somewhere. A common practice is to just use another piece of information associated with their account. The purpose of a salt is to make various bruteforcing attacks difficult.

All absolutely true.

> It doesn't do much if someone has full access to a system.

Not true. Without salt they can try passwords and if the hash matches ANY in the system they know the password for those accounts. With a big dictionary of likely passwords (or just normal words) many passwords will be discovered very quickly.

With salt you have to try the password dictionary against EACH user (actually each salt value but they should be unique). This makes discovering passwords harder by a factor of the number of users. Yes you can pick any user and run the dictionary and have a good chance of finding the password but you have to expend large computing resource for little reward (possibly worth it to break a bank account but not the average web app).


The only real advantage you gain from a salt these days is that a precompiled database of hashes can't be used against you. Whether it be from someone's personal collection or one of those web-based hash sites.

Generating a rainbow table for each user isn't that much more difficult or time-consuming than having a single rainbow table. Processing power is cheap and easy to come by these days. A small botnet can be rented to generate rainbow tables at a faster rate than most supercomputers.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: