undefined | Better HN

0 pointssolid_fuel6mo ago0 comments

Maybe this is what you're saying, I'm not sure - my understanding was that the salt prevents reused passwords from resulting in the same hash. So, if I use 'password' and you use 'password' the salt+hash will be different. That way attackers can't just hash all the common passwords once and immediately associate them with different accounts.

0 comments

OkayPhysicist6mo ago

Yeah, exactly. Commonly, the salts are stored right next to the hashes in the DB, because they serve their purpose even if the attacker knows what the salts are. By using a different salt for every password, the attacker needs execute a full "guess, hash, compare, repeat" attack on each user, as opposed to "guess, hash, compare against all user passwords, repeat" on the entire database.

j / k navigate · click thread line to collapse

0 pointssolid_fuel6mo ago0 comments

0 comments

OkayPhysicist6mo ago

j / k navigate · click thread line to collapse