|
|
>>> Salt is useful only if the way in which it's selected is useful. If
>>> the salt value is predictable or easily determined, then it's not so
>>> useful.
>>
>> The purpose of salt is to defeat rainbow tables. Therefore, the only
>> thing that matters is that the salt is an arbitrary random string which
>> is unlikely to appear in a rainbow table. (E.g., raw binary instead of
>> ASCII.) Doesn't matter how predictable it is, so long as it's not
>> predictable enough to be in a rainbow table. (And it's different for
>> every password in the database.)
>
> It can't be arbitrarily random, though, because the salt value is
> necessary to compute the hash. Give it the wrong salt, and the value
> that comes back is wrong.
Which is why you store the salt you used along with the password. That
way, any time you need to compare the hash, you know what salt to use.
The salt doesn't need to be "secret" at all. It's only there so that
each user's password hashes a different way, and so you can't use a
rainbow table on the whole database.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|