Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialZaberca David
2,965 PointsSHAKE salting question
Hello,
You've said that not salting your password when hashing exposes the hash to attacks, since people will try to use predefined words in combinations to match the hash. Well, adding the salt at the end in plain text will give an attacker the trivial challenge to add the salt to the front or to the back of the combinations they try. It just doubles the amount of hashing they need to calculate, it's not a big difference.
How is this more secure? It just adds complexity without much benefits at all.
I think the way it was meant to work is you need to NOT include the semi colon between the hash and salt. That way an attacker will not know how long the salt or hash is, or even if there is salt added at all, which increases the complexity by at least 100 if decently long hashes and salts are used.
1 Answer
Steven Parker
231,269 PointsI think you're under-estimating the level of complexity added by the salt. Kenneth discusses the advantage at about 5:20 in the video.
It only "doubles" the complexity of a legitimate verification, but it makes password searching attempts vastly more difficult. Since each password has a different salt, it prevents any pre-computed list of hashes from being usable on multiple passwords. A hash list would need to be separately computed for each password.
The importance of identifying the salt from the hash is to make a legitimate verification possible. Trying to keep the lengths hidden wouldn't be very effective in the case of a hacked system, since the method would be accessed at the same time as the data.