I’ve used hashing algorithms back in my PHP days using bcrypt, which has a function to compare an entered password on the login form, to the hash stored in the database, but if the salt is random each time, how can the hash be checked?
In: Technology
As the other answers said, the salt is stored in the database along with the hash.
At first, this might sound like it defeats the security because anyone with access to the hashes also has the salts.
But the difference is, if I have a database of unsalted hashes, I can generate one hash for each guess I make at a finding a valid password, then compare it against every line in the database. I can also see which users have the same (so likely common) passwords, as their hashes will also be the same.
If I want to brute force a salted database, then for each guess I need to generate a different hash to test against each row, using the appropriate salt, so the process is a lot longer (effectively, on average, it would take about as long to brute force a single user’s salted hash as it would to go through an entire unsalted database).
Latest Answers