Welcome to the Treehouse Community
The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.
James Croxford12,697 Points
Question on hashing and salt.
So in the video Kenneth describes the use of a salt to differentiate between accounts happening to use the same hashed password. In particular he cites an example of the account creation time being used as the salt as a possible unique identifier.
This makes sense so far, but, if I enter my password to log into say Amazon, or even here, I enter just that: a password (and email). I certainly wouldn't enter the time I signed up for the account, so the password that is entered by me and sent to Amazon's servers (and hashed by the site to then look up against its database) wouldn't match up the combined hashed password & salt right? Would the website not just utilise the email address as the salt?
Or am I other-thinking an example just presented for purposes of explaining the principles of hashing?
When you log into a website you also enter a unique user name along with a password. That user name can be used to look up both your hashed password and the salt in the database. See the answer here on storing salt in a database.
You wouldn't be entering the salt. If a clock were used the SQL in the database can read the server clock.