This is Ivanhoe011's Typepad Profile.
Join Typepad and start following Ivanhoe011's activity
Join Now!
Already a member? Sign In
Recent Activity
Salt is not required to be secret at all, the idea of a random salt (and it should be unique for each user) is to make it impossible to use rainbow tables. Of course, attacker knows the salt since it's in the same DB table as a password, but he will have to brute-force each account separately, which makes it almost impossible to hack thousands of accounts at once. This is pretty much the best you can do, and the same approach is used by linux and many other systems for decades. Also, when adding the salt one should always use HMAC, instead of simple concatenation of salt to the password. HMAC is developed specially for this, it benefits in better security as e.g. HMAC-MD5 does not suffer from the same weaknesses as MD5. I believe all major languages have support for it.
Toggle Commented Apr 7, 2012 on Speed Hashing at Coding Horror
Ivanhoe011 is now following The Typepad Team
Apr 7, 2012