Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community!

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Security Introduction to Data Security Concerns Hashing

Question on hashing and salt.

So in the video Kenneth describes the use of a salt to differentiate between accounts happening to use the same hashed password. In particular he cites an example of the account creation time being used as the salt as a possible unique identifier.

This makes sense so far, but, if I enter my password to log into say Amazon, or even here, I enter just that: a password (and email). I certainly wouldn't enter the time I signed up for the account, so the password that is entered by me and sent to Amazon's servers (and hashed by the site to then look up against its database) wouldn't match up the combined hashed password & salt right? Would the website not just utilise the email address as the salt?

Or am I other-thinking an example just presented for purposes of explaining the principles of hashing?

2 Answers

When you log into a website you also enter a unique user name along with a password. That user name can be used to look up both your hashed password and the salt in the database. See the answer here on storing salt in a database.

You wouldn't be entering the salt. If a clock were used the SQL in the database can read the server clock.

That's what I meant- you wouldn't enter the salt, so how is this additional identifier used for verification? So I currently see it like this: 'A' represents my password. 'B' represents the salt data.

When I sign up to the website 'A' + 'B' is what is entered into the hashing formula ('A' being something I've actively picked, and 'B' being the unix measure of time at account creation), and the hashed version of these ('A' + 'B' hashed)together is stored (correct?).

But when I go to log into that website, I would just enter my password, 'A', which the website would throw into the hashing formula, and check this hash against its database. But as I currently understand it, this 'A' wouldn't match the database directly (it would be looking for 'A' + 'B'), as there's no entry of the salt, 'B', by myself.

But obviously it must match, because I get into the account without entering 'B', only 'A'. What am I missing?