Hash

A hash function is any well-defined procedure or mathematical function that converts a large amount of data into a small datum, usually a single integer. For questions about hashtags as used to label content on social media, use hashtag. For questions about URLs and HTML anchors, use fragment-identifier

Salt

Cryptography function that takes random bits and a string (typically a password) and uses a one-way hash to provide a new string that can be used for authentication without providing access to the original string



Time attacker longer

Example

"Likely not as cheap as xor against n values but seems like there s possibility for better quality results at a minimal extra cost especially if the data being hash is much larger than the salt value"

from question  

How many hash functions are required in a minhash algorithm

" salt is not a constant if every password is hash with the same salt you re wasting your time;i would recommend using bcrypt instead of the sha512 salt approach bcrypt instead s much harder to brute force"

from question  

What is the best way to securely store password (hashes)

"Since the password will be the same and only the salt changes a cracker with access to the hash can brute-force with exactly the same cost;changing the salt will not improve the security a salt is not a secret it fullfills its job even if it is known"

from question  

Does rehashing a randomly salted password at login increase security?

"The salt doesn t make it slower to calculate hash it just means they have to crack each user s password individually and pre-computed hash tables buzz-word rainbow tables are made completely useless;if you don t have a precomputed hash-table and you re only cracking one password hash salting doesn t make any difference"

from question  

How long to brute force a salted SHA-512 hash? (salt provided)

"You can safely store the salt in the db because working out a string from its hash is just as hard when you know some of the string as it is when you know none of it provided the password itself is longer than the salt and long enough and strong enough to take a long time to crack by brute force at least 6 chars with at least one case change and a number or non-alphanumeric i d say"

from question  

Castle ActiveRecord / NHibernate - Password Encryption or Hashing

"That s all clear however i am not sure what with salt in hashing. i read os.urandom python is good to create good salt what i am not sure is how to work with this added salt if i hash user password with salt and its one way"

from question  

Reason for salting a password for webservice

"A rare one amongst a disappointing number that did not hash passwords also hash with the username and some salt which is better"

from question  

Oracle apex authentication schemes login errors

"The salt determines how much space is required to store a pre-computed table such as a rainbow table that allows an attacker to quickly lookup a password for a given hash;the number of hash iterations not the salt is what determines the time required for an attacker try each password in his dictionary of candidates"

from question  

How long should a salt be to make it infeasible to attempt dictionary attacks?

"Ut if salt is appended attacker can make such database for password dictionary and additionally compute only salt s hash;given salt is usually shorter than password like 4 chars salt and 8 char password it will be faster attack"

from question  

Password salts: prepending vs. appending

"But unlike encryption algorithms password hash are one-way deterministic trap door calculations;also unlike secret-key encryption the salt does not need to remain secret"

from question  

How to get php hash_pbkdf2 decrepit value

"Which is a bad idea because of rainbow tables even if the hash is not md5 but sha512 for example;second idea add a unique random salt before hashing so the hackers has to bruteforce each password"

from question  

Historical security flaws of popular PHP CMS's?

"The salt is added to the password before hashing to ensure that the hash isn t useable in a rainbow table attack;because the salt is randomly generated each time you call the function the resulting password hash is also different"

from question  

Why is the output of werkzeugs `generate_password_hash` not constant?

"So when i see that the salt is stored in the hash password and that you use that hash password as salt i think crypt + salt is not more secure against a brute force on output hackers who managed to steal hash passwords"

from question  

How are Crypt and Salt more secure than MD5 against a brute force attack?

"For an ideal password hash a leak of the hash is nothing hugely critical;if the salt is not exposed then it s effectively impossible to recover a password"

from question  

Is it inadvisable to store a hashed password in session?

"I m not sure what you mean with switching from php but let the development language generate the hash not the database system;the salt should be different for every password a global salt cannot fulfill it s purpose"

from question  

Hashing and salting in a PDO prepared statement

"If that salt + hash original password was longer than the salt + hash you may have just reduced the security of that salt + hash password assuming a good password and ignoring hash collisions"

from question  

Using hash of password with SSL

"This is telling the security class to hash your password with the default algorithm and to use the salt configured in security.salt;if the value of security.salt is different in either application the hash will not match"

from question  

CakePHP 2 Hashing Changing Over Time?

"In order to compare it with another password you should compare the hash not the real passwords;the easy way to make hash with salt would be using messagedigest"

from question  

Java: how to write/read encrypted password in/from a file

"The salt is stored together with the hash to make it possible to validate it;had the salt not been stored it would be impossible to validate the hash since you don t know the full input to the hash which includes the salt"

from question  

Bcrypt and salted passwords - clarification?

"You ll probably need to get data anyway so the unique salt is probably faster too because you won t need to calculate the hash over username"

from question  

Hash salt complexity

"The number of hash iterations not the salt is what determines the time required for an attacker try each password in his dictionary of candidates;every bit of salt doubles the space required for the lookup table"

from question  

How long should a salt be to make it infeasible to attempt dictionary attacks?

"Most attacks involve generating hash for common passwords so for reasonably complicated passwords it becomes harder especially with salt some people use usernames as salt others use randomly generated numbers"

from question  

SHA Encryption - Are Salts Really Needed?

"After all you could do this insert into accounts user salt password values myuser 1234 sha2 concat xyzzy 1234 256 but now you the password xyzzy appears in plain-text in your query logs and binary logs even if it is stored in hash form in the table itself"

from question  

Hash() function in mysql version 8.0

"Example the salt field might only allow a 64 characters while the generated salt might be longer therefore when you save the salt it gets trimmed which ultimately changes the hash password"

from question  

Hashing passwords with exact same inputs doesn't output the same value

"A salt is most typically encountered with cryptographic hash functions not encryption functions;the idea is that rather than hashing just your data a password you hash data+salt where salt is typically a randomly-generated string"

from question  

Difference between SALT and KEY. Encryption

"I don t know how safe could it be and how difficult is for the hacker to determinate the technique i use the thing is that the result has the same length as the hash and is harder to determinate a salt so if for any reason in the history hacker uses a rainbow table and catches a probable result it will be the wrong"

from question  

Cryptography: Make a stronger hash for password

"So an attacker trying to brute-force all your password hash has an easier time because he only needs to crack the same password once for all users;therefore it is still very advisable to use user-specific salt"

from question  

PHP encryption method

"This salt is nothing more than a random arbitrary string that you concatenate to the passwords and it will make your hash password unique"

from question  

PHP Login with MD5 Password?

Function randomness several

Example

"Better use of salt is that better use of salt is randomly generated before use in hash function and better use of salt does not need to be 1024 bytes - 8 bytes is more than enough for salt and then prepended to resulting hash"

from question  

Query related to my encryption

"Your salt isn t following that so the hash function is probably failing completely though i m not certain;also your salt shouldn t be a constant in your app it should be unique to each user and stored in the db along with their hashed password"

from question  

PHP crypt password

"It s a general purpose cryptographic hash function not meant for passwords;salt must be unique per user"

from question  

Lost my md5 and salt encryption on my user password

"The more randomness and more characters your salt has the better for the hash but anything that s several characters long and random works"

from question  

How strong do salts need to be?

"That s why most algorithms call the hash function several times;using salt gives a lot more of randomness to the generated password and thus make the generated password less guessable"

from question  

What is the purpose of salt?

"One of the most common mistakes in hashing is that hash are not unique to the users;this is mainly because salt are not uniquely generated"

from question  

Secure hash and salt for PHP passwords

Salt secure retrieved

Example

"This salt used in yii2 security helper doesn t require for storing in db t is only used for creating password hash but not need to compare password with hash"

from question  

Salt is not stored in the database in yii2

"The lack of salt is harder to expoit here than with password hash since the hash is not directly known"

from question  

Encryption example with password only ... no Salt. Does it work?

"I get the impression that most people think that hashing salt passwords is the more secure way of handling passwords but i can t figure out a way to comply with current company operations when using hash passwords"

from question  

Is it ok to store passwords that are able to be retrieved?

"In this situation storing password hash and the salt is more secure than storing the credentials encrypted or not because an attacker would have no way of getting the password back even if he manages to get his hands on both the hash and the salt"

from question  

Storing credentials in an encrypted file

"Salt if not combined into password hash;authentication will create hash from provided password and stored salt and compare it to stored hash under specified login name"

from question  

Java client authentication without a servlet

"A password hash cannot be broken until the salt is retrieved;salt make precomputed attacks more resource intensive but never impossible"

from question  

Can per-user randomized salts be replaced with iterative hashing?

"So it could be that the first 8 bytes of the password hash are actually the salt;then there s the chance that the salt isn t used"

from question  

Role of PasswordSalt witn SimpleMembershipProvider

"Storing the salt unencrypted in the database next to the hash passwords is not a problem;the purpose of the salt is not to be secret"

from question  

What is best possible way of salting and storing salt?

"My problem is that while merging the password with the salt my hash password gets shorter by one character at the end"

from question  

When merging two arrays, the first array gets shorter by 1

Tables rainbow protection

Example

"If the hash is not salt it is very easy to get the cleartext password using rainbow tables if you got the hash;if the hash is salt it is very easy to get the cleartext password for simple passwords"

from question  

How secure is storing data with localStorage?

"Assuming that the is stored alongside the final -- since the hash wouldn t be testable without it -- this scheme is quite weak;using a salt does protect against rainbow tables but a non-iterated hmac leaves this scheme weak to brute-force attacks"

from question  

Is this a safe way to store my passwords?

"However using a salt offers more protection against rainbow tables precalculated hash tables so they re still worth using"

from question  

Why salt did not help when using dictionary attack

Users different weak

Example

"Assuming your hashing method is not weak it doesn t matter if the salt is known - salt is simply so that 2 users with the same password have different hash - and a casual inspection of hash wouldn t result in identical passwords being obvious;salt should be unique per user"

from question  

Creating a Strong Password Scheme When All Data is Stored on Device

"However the combination of a salt and a password may lead to the same string or hash in the end and the hash will be exactly the same so make sure to use a combination of salt and password where two different combination won t lead to the same hash;another intention behind the use of a salt is to make sure two users with the same password won t end up having the same hash in the users table assuming their salt are not the same"

from question  

What is the purpose of the "salt" when hashing?

Others

Example

The reason for this is so you can have many types of hash with different salt and feeds that string into a function that knows how to match it with some other value;if the hash does not use a salt then there is no sign for that

from question  

What type of hash does WordPress use?

Salt sha-512 offers a higher level of security and implementing a scheme where you stretch the hash is even better do some high number of iterations of sha-512 - starting with the password+salt of course

from question  

Whats a decent way to upgrade from SHA1 to SHA256?

The two append something to or otherwise modify the input password not including salt to give the resulting hash;if indeed you have the md5 hash values using the method you describe piping a string to md5sum that resulting hash cannot be reversed to anything you can then hash to an htpasswd compatible hash

from question  

How can I convert MD5 hex strings to base-64 MD5 strings?

The idea of a salt is just to make the hash digest unique per user to resist dictionary attacks and rainbow table attacks;the salt doesn t add to the strength of the hash digest algorithm regardless of the salt s length

from question  

How large should my password salt be?

If you are certain that you will never use a hash scheme to authenticate like http digest auth hash password is more secure;to avoid rainbow table attack please use a nonce or salt

from question  

Best way to store password into sql

Adding a salt to your hash does not make a pre-computed attack impossible only more difficult;re-use of a salt makes your system more prone to attack

from question  

Using the same salt for multiple fields

Prepending a salt is also more powerful than directly setting the seed values because in addition to changing the internal state of the hash if the salt is not a multiple of the digest block size then it can also perturb the alignment with which the input is fed into the hash function

from question  

How to set MessageDigest seed?

Restructuring of the database to just add an salt field is better option or the only one really if your going to do it properly but you could use your currant hash field to store the salt as other person posted

from question  

Passwords hash protection against "Rainbow tables" reverse engineering with password padding

However for a cipher algorithm that is not based on hash a salt isn t necessary because the attackers will obtain anyway the original string with the salt and it s just needed logic to remove it;a salt is a sequence of characters added to a string about to being hashed so it s harder for an attacker to obtain the original string

from question  

PHP MySQL User Password Encryption

Also always use a salt code with your hash;a side note after time has passed using hardened hash is far better than using a plain speed-based hashing function

from question  

How to Use SHA1 or MD5 in C#?(Which One is Better in Performance and Security for Authentication)

When you receive the get or read the cookie use the data in it to re-calculate the hash and stop redirect error out if the data no longer validates the hash check;when you do this use some server-side salt that isn t displayed in the url or in web page source etc

from question  

PHP - prevent users from play around with url GET variables

In other words the hash algorithm doesn t really matter as much as system security and limiting login attempts also if you don t use ssl then the attacker can just listen in on the connection to get the information;unless you need the algorithm to take a long time to compute for your own purposes then sha-256 or sha-512 with a user specific salt should be enough

from question  

SHA1 vs md5 vs SHA256: which to use for a PHP login?

If you want to store a hash that will be secure for a long time to come sha-256 or sha-512 part of the sha-2 family of hash designed as secure replacements for sha-1 are a good choice and somewhere between 128 and 256 bits of salt are standard;however the use of plain hash is not the best way to do this nowadays

from question  

Is there a standard way to store passwords in a DB?

B keeping the salt separate from the password hash is not an effective defense we are assuming administrators after all;c using existing data as a salt is a little better but i doubt existing data has as much entropy a random salt has

from question  

How do I implement salt into my login for passwords?

Rolling your own salt is not a problem and knowing them by this i assume you meant store them separately to the hash is not necessary if you re storing crypt s output as-is;from my investigation it seemed that the salt is always 22 characters and the hash offset is 29 not 28 making it 31 characters in length not 32

from question  

Why does crypt/blowfish generate the same hash with two different salts?

A salt derived from any value that has a relation with the value to be hash is not a salt it s just an altered hashing algorithm;salt are entirely pseudo random noise period

from question  

Is my Bcrypt encryption safe enough?

Your first question is not clear but multiple hash are not less secure because the second hash has a fixed length;but more important than a multiple hash the use of a salt is essential for a better security

from question  

Double hashing security

Edit as op noted just using a hash algorithm isn t enough;you must to add a salt to make it harder to break

from question  

Securty issue XOR

The salt isn t a secret it s just a custom thing you add to avoid having the hash cracked with precomputed lookup tables like rainbow tables;the salt is usually stored with the hash either in the same database in a different field or when using php s password_hash it s actually just concatenated to the hash looking something like mysalt.hash

from question  

Is PHP password_verify really secure? Add another salt?

Salt are used with hash not ciphers;note that both ivs and salt are specific examples of a nonce

from question  

Changing ciphertext upon identical encryption (IV) Cocoa?

Salting ensures the hash aren t predictable;there is a different salt used each time

from question  

Why bcrypt always returns different results?

The correct hash has a sha-512 salt so a sha-512 salt output is longer than 13 characters

from question  

PHP crypt() returning 13, and not less than 13 characters, on failure

I can imagine that the point of hashing that fingerprint information is storage space as the resulting hash has a fixed length;but to also use a salt doesn t make much sense to me

from question  

Hashing a session fingerprint really necessary?

Anyways i want to reiterate that plain md5 hash are easy to crack for most passwords since people like short and easy to remember passwords. use a salt and or a more complex algorithm;i d recommend both and use a salt that is longer than two characters and not limited to numbers

from question  

Importing MD5+Salt Passwords to MD5

A hash with salt is lot safer

from question  

Getting the primary key from a username and password entry

In fact you should be using a proven well-known implementation of a strong hash and not implementing the algorithm yourself;the salt is the part that needs to be protected

from question  

Protect hash code?

That way a hash salt is more random and your data a bit more secure

from question  

PHP Password - Salted, reversed, encrypted

Back to Home
Data comes from Stack Exchange with CC-BY-SA-4.0