Timeline for Why are salted hashes more secure for password storage?
Current License: CC BY-SA 3.0
21 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 4, 2018 at 21:07 | comment | added | WakeDemons3 | If a salt has to be stored somewhere too (it does) then why is it actually useful? It's basically the same thing as a password. | |
| Feb 24, 2016 at 14:08 | history | edited | SilverlightFox | CC BY-SA 3.0 | edited title |
| Jun 26, 2014 at 20:14 | answer | added | Kaz | timeline score: 1 | |
| Mar 27, 2014 at 6:38 | comment | added | Craig Tullis | The salt is not appended to the hash! The salt is appended (or prepended) to the plaintext password, and the salt and password together are fed to the hashing algorithm to produce the hash. That's why you can store the salt directly with the hash value. But of course simple salted hash, apart from being bad for your heart, is no longer sufficient for safely storing credentials. | |
| Feb 26, 2014 at 8:42 | answer | added | mathrick | timeline score: 13 | |
| Feb 25, 2014 at 8:14 | comment | added | Johan Bezem | The salt can also be a global salt, concatenated to the userID, and then hashed, to produce a unique salt for the user's password hash. This way, you don't need to store anything per user (which could be stolen along with the hashed password...) | |
| Feb 23, 2014 at 20:50 | vote | accept | CommunityBot | ||
| Feb 21, 2014 at 20:19 | comment | added | Eric Lippert | And yes, the salt is stored along with the hash, and the salt should be per-user. | |
| Feb 21, 2014 at 20:18 | comment | added | Eric Lippert | I wrote a series of articles answering your question a few years ago. blogs.msdn.com/b/ericlippert/archive/tags/salt | |
| Feb 21, 2014 at 18:10 | answer | added | xkcd | timeline score: 50 | |
| Feb 21, 2014 at 18:07 | answer | added | gnasher729 | timeline score: 7 | |
| Feb 21, 2014 at 7:15 | history | tweeted | twitter.com/#!/StackSecurity/status/436761059509403648 | ||
| Feb 21, 2014 at 5:11 | answer | added | tylerl | timeline score: 416 | |
| Feb 21, 2014 at 3:39 | answer | added | Anti-weakpasswords | timeline score: 14 | |
| Feb 21, 2014 at 3:15 | answer | added | zakiakhmad | timeline score: 10 | |
| Feb 20, 2014 at 23:38 | history | edited | Rory Alsop♦ | CC BY-SA 3.0 | edited title |
| Feb 20, 2014 at 22:56 | history | edited | user40448 | CC BY-SA 3.0 | added 222 characters in body |
| Feb 20, 2014 at 21:15 | review | First posts | |||
| Feb 20, 2014 at 21:19 | |||||
| Feb 20, 2014 at 21:05 | comment | added | Stephen Touset | In addition to AJ's comment, simply salting a hash is not enough to ensure secure password storage. Modern password hashing algorithms like bcrypt and scrypt require substantial amounts of CPU and/or memory, significantly slowing an attacker's ability to attempt guesses. | |
| Feb 20, 2014 at 21:01 | answer | added | AJ Henderson | timeline score: 22 | |
| Feb 20, 2014 at 20:58 | history | asked | user40448 | CC BY-SA 3.0 |