Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

Security Introduction to Data Security Solutions Storing Passwords

Zaberca David
Zaberca David
2,965 Points

SHAKE salting question

Hello,

You've said that not salting your password when hashing exposes the hash to attacks, since people will try to use predefined words in combinations to match the hash. Well, adding the salt at the end in plain text will give an attacker the trivial challenge to add the salt to the front or to the back of the combinations they try. It just doubles the amount of hashing they need to calculate, it's not a big difference.

How is this more secure? It just adds complexity without much benefits at all.

I think the way it was meant to work is you need to NOT include the semi colon between the hash and salt. That way an attacker will not know how long the salt or hash is, or even if there is salt added at all, which increases the complexity by at least 100 if decently long hashes and salts are used.

1 Answer

Steven Parker
Steven Parker
216,012 Points

I think you're under-estimating the level of complexity added by the salt. Kenneth discusses the advantage at about 5:20 in the video.

It only "doubles" the complexity of a legitimate verification, but it makes password searching attempts vastly more difficult. Since each password has a different salt, it prevents any pre-computed list of hashes from being usable on multiple passwords. A hash list would need to be separately computed for each password.

The importance of identifying the salt from the hash is to make a legitimate verification possible. Trying to keep the lengths hidden wouldn't be very effective in the case of a hacked system, since the method would be accessed at the same time as the data.