SHAKE salting question

Question

Hello,

You've said that not salting your password when hashing exposes the hash to attacks, since people will try to use predefined words in combinations to match the hash. Well, adding the salt at the end in plain text will give an attacker the trivial challenge to add the salt to the front or to the back of the combinations they try. It just doubles the amount of hashing they need to calculate, it's not a big difference.

How is this more secure? It just adds complexity without much benefits at all.

I think the way it was meant to work is you need to NOT include the semi colon between the hash and salt. That way an attacker will not know how long the salt or hash is, or even if there is salt added at all, which increases the complexity by at least 100 if decently long hashes and salts are used.

Answer 1 · 2020-06-21T18:20:51Z

June 21, 2020 6:20pm

I think you're under-estimating the level of complexity added by the salt. Kenneth discusses the advantage at about 5:20 in the video.

It only "doubles" the complexity of a legitimate verification, but it makes password searching attempts vastly more difficult. Since each password has a different salt, it prevents any pre-computed list of hashes from being usable on multiple passwords. A hash list would need to be separately computed for each password.

The importance of identifying the salt from the hash is to make a legitimate verification possible. Trying to keep the lengths hidden wouldn't be very effective in the case of a hacked system, since the method would be accessed at the same time as the data.

Welcome to the Treehouse Community

Looking to learn something new?

Zaberca David

Zaberca David

SHAKE salting question

1 Answer

Steven Parker

Steven Parker