Most of these answers are a bit misguided and demonstrate a confusion between salts and cryptographic keys. The purpose of including salts is to modify the function used to hash each user’s password so that each stored password hash will have to be attacked individually. The only security requirement is that they are unique per … Read more
Prefix or suffix is irrelevant, it’s only about adding some entropy and length to the password. You should consider those three things: The salt has to be different for every password you store. (This is quite a common misunderstanding.) Use a cryptographically secure random number generator. Choose a long enough salt. Think about the birthday … Read more
The easiest way to get your password storage scheme secure is by using a standard library. Because security tends to be a lot more complicated and with more invisible screw up possibilities than most programmers could tackle alone, using a standard library is almost always easiest and most secure (if not the only) available option. … Read more
Ok. Seeing as I need to write about this over and over, I’ll do one last canonical answer on pepper alone. The Apparent Upside Of Peppers It seems quite obvious that peppers should make hash functions more secure. I mean, if the attacker only gets your database, then your users passwords should be secure, right? … Read more
Actually this is kind of strange, with the string conversions – which the membership provider does to put them into config files. Hashes and salts are binary blobs, you don’t need to convert them to strings unless you want to put them into text files. In my book, Beginning ASP.NET Security, (oh finally, an excuse … Read more
The salt is incorporated into the hash (encoded in a base64-style format). For example, in traditional Unix passwords the salt was stored as the first two characters of the password. The remaining characters represented the hash value. The checker function knows this, and pulls the hash apart to get the salt back out.
A public salt will not make dictionary attacks harder when cracking a single password. As you’ve pointed out, the attacker has access to both the hashed password and the salt, so when running the dictionary attack, she can simply use the known salt when attempting to crack the password. A public salt does two things: … Read more
The point of rainbow tables is that they’re created in advance and distributed en masse to save calculation time for others – it takes just as long to generate rainbow tables on the fly as it would to just crack the password+salt combination directly (since effectively what’s being done when generating rainbow tables is pre-running … Read more