I understand what a password’s HASH value is. Could someone explain what a SALT is?
thx
A salt is a quasi-random starter string to “mix” with the password to get the hash value:
E.g., HashFunction(Password, Salt) = HashedPassword.
Certain salts are better than others in giving a more random-like distribution. But note that the salt has to be kept around and should be assumed to be known to any password cracker.
The purpose of a salt is that someone attempting to do a dictionary attack on the stored passwords will have to build a set of hashes for the dictionary with your salt. If you didn’t have the salt, then the hashes could have been calculated once long ago and stored.
I believe the default password implementation on many Linux systems uses salts.
The passwords are stored with a random, two-character salt first, followed by the hash of the password with the salt prepended.
For example: let’s say the password is “widget”. When recording the password, the system generates a salt, say “GH”. It then hashes the string “GHwidget”, getting “AF443” (which I just made up, obviously that would be a rather weak algorithm).
The password is then stored as GHAF443. To verify a password, the system extracts the salt, prepends it to the password, and computes the hash to see if it matches.
As mentioned, this means that dictionary attacks can’t be used against the password database, because they would need to be recalculated for whatever salt was used.
I really entered into this thread presuming we would be talking about corned beef hash and saltiness. 