On Thu, Apr 15, 2010 at 3:10 PM, Dan McGee <[email protected]> wrote: > On Thu, Apr 15, 2010 at 2:00 PM, Loui Chang <[email protected]> wrote: >> Hi Denis. I thought the idea behind salt is that if someone gets the >> database, they can't crack the passwords because the salt is secret. > > That's not fully correct. Salt is not meant to be secret; it is meant > to prevent the use of rainbow tables or precomputed hashes. > > The idea behind salt in this case is for each user's password to be > hashed with a different salt. This means if someone is to crack one > person's password, it doesn't help them at all with the remaining > passwords in that same database that they got their hands on because > the salt is unique for every user.
Dan is right - salted passwords are used to reduce the efficiency of rainbow table attacks on the database. I'm no security expert, but it is my understanding that assigning a random salt to each user is considered pretty secure. Some implementations are even simpler - there is a single salt for all passwords in the database, the idea being that an attacker wouldn't be able to use a readily available set of rainbow tables and would have to compute his own set for the salt used. Such implementation is used by CakePHP web framework, for example. Denis.
