Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>The point of the salt is to prevent the attacker from performing parallel attacks. That parallelism must be understood both space- and time-wise; roughly speaking, this means sharing the attack cost between two or more attacks.</p> <p>For instance, consider a non-salted hashed password setting. The attacker can hash all words in a dictionary for a cost proportional to the size of the dictionary, and check those hashed words with regards to <em>several</em> hashed passwords. This can be simultaneous (the attacker has a list of hashed passwords and wants to crack one) or iterative (the attacker precomputes his hashed dictionary, then uses it as a tool against several passwords in distinct systems). Either way, this is cost sharing.</p> <p>The <em>salt</em> is some data which should be somewhat unique to each hashed password instance. Salting prevents such cost sharing, to the extent of the uniqueness of the salt.</p> <p>Using the user name (or hash thereof) as a salt leverages user name uniqueness: usually, <em>on a given system at a given time</em>, user names are unique. This prevents locally space-wise sharing: if the attacker gets a snapshot of all hashed passwords, he cannot attack them in parallel with cost sharing; he will have to incur the hashed dictionary cost for every attacked password. However, this does not prevent time-wise sharing (the attacker precomputes a hashed dictionary with the salt corresponding to user "bob" and will regularly try to guess Bob's password, assuming that Bob changes his password on a regular basis, e.g. because this is mandated by his system administrator). This does not prevent either some global sharing (there are several -- many -- systems out there, with a user going under the name of "bob").</p> <p>So using the user name as salt is not bad; this is better than using no salt at all. But a random salt is still better, because it will change even in situations where the the user name is kept unchanged (a user changing his password; two users on distinct systems with the same name).</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload