Confused by salt

From: ianpiper@xxxxxxxxx
Date: 28 May 2007 15:00:25 -0700

Hi all,

I hope someone can help clear my confusion. I wrote a program some
time back that used a hash function to store a password. Someone
advised me that I really ought to use a salt with this in order to add
greater security. Having done some reading I am a bit confused. I
understand the principle of adding a number of random characters to
the string before hashing it in order to increase its security. What
confuses me is how you then store the salt in such a way that you can
use it but the bad guys can't. I read somewhere that you can just
store the salt in plain text along with the hashed salted password,
but then surely that defeats the object - your attacker just needs to
prepend or append any dictionary words with that salt and hash the
result before comparing to your stored password. But if you encrypt
the salt, you need a key to decrypt it.

Any illumination greatly welcomed.

Ian.
--

.

Follow-Ups:
- Re: Confused by salt
  - From: clark
- Re: Confused by salt
  - From: Roger Schlafly
- Re: Confused by salt
  - From: ianpiper
- Re: Confused by salt
  - From: Roger Schlafly
- Re: Confused by salt
  - From: clark
- Re: Confused by salt
  - From: Roger Schlafly
- Re: Confused by salt
  - From: clark
- Re: Confused by salt
  - From: ianpiper
- Re: Confused by salt
  - From: Roger Schlafly
- Re: Confused by salt
  - From: ianpiper
- Re: Confused by salt
  - From: clark
- Re: Confused by salt
  - From: clark
- Re: Confused by salt
  - From: ianpiper
- Re: Confused by salt
  - From: clark
- Re: Confused by salt
  - From: ianpiper
- Re: Confused by salt
  - From: Roger Schlafly
- Re: Confused by salt
  - From: Roger Schlafly
- Re: Confused by salt
  - From: clark
- Re: Confused by salt
  - From: Roger Schlafly

Prev by Date: Speeding up the finite fields multiplications to increase ECC efficiency
Next by Date: Re: Confused by salt
Previous by thread: Speeding up the finite fields multiplications to increase ECC efficiency
Next by thread: Re: Confused by salt
Index(es):
- Date
- Thread

Relevant Pages

Re: Confused by salt
... I hope someone can help clear my confusion. ... time back that used a hash function to store a password. ... advised me that I really ought to use a salt with this in order to add ...
(sci.crypt)
Re: UserNameToken with SendNone on Password
... >> machine key store. ... > see the salt length as adding security. ... You should only return a SCT if you authenticate with correct ... The code clearly indicates where the validation should take place. ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: Password checking theorical question
... This is IMHO the best way to store password tokens for future ... verification and requires no secret keys. ... B = Number of bits of salt to use ... - the Salt makes the space-complexity of a dictionary attack 2^B ...
(sci.crypt)
Re: Hidden Application Data
... The reason I want to hide the user's credentials is not from the user ... If you must keep things locally then do not store the ... For a new application you should use SHA-256 as the hash. ... cryptographic salt seehttp://en.wikipedia.org/wiki/Salt_. ...
(microsoft.public.dotnet.languages.csharp)
Re: listview problem....
... controls don't allow keys that start with a number (to prevent confusion ... People often want to store a number as a key. ... For some reason I must have thought that ...
(microsoft.public.vb.general.discussion)