10

I just looked at the implementation of password hashing in Django and noticed that it prepends the salt, so the hash is created like sha1(salt + password), for example.

In my opinion, salts are good for two purposes

  1. Preventing rainbow table lookups

    Alright, prepending/appending the salt doesn't really make a difference for rainbow tables.

  2. Hardening against brute-force/dictionary attacks

    This is what my question is about. If someone wants to attack a single password from a stolen password database, he needs to try a lot of passwords (e.g. dictionary words or [A-Za-z0-9] permutations).

    Let's assume my password is "abcdef", the salt is "salt" and the attacker tries all [a-z]{6} passwords.

    With a prepended salt, one must calculate hash("salt"), store the hash algorithm's state and then go on from that point for each permutation. That is, going through all permutations would take 26^6 copy-hash-algorithm's-state-struct operations and 26^6 hash(permutation of [a-z]{6}) operations. As copying the hash algorithm's state is freakin fast, the salt hardly adds any complexity here, no matter how long it is.

    But, with an appended salt, the attacker must calculate hash(permutation of [a-z]{6} + salt) for each permutation, leading to 26^10 hash operations. So obviously, appending salts adds complexity depending on the salt length.

I don't believe this is for historical reasons because Django is rather new. So what's the sense in prepending salts?

BoltClock
  • 630,065
  • 150
  • 1,295
  • 1,284
AndiDog
  • 62,237
  • 17
  • 152
  • 196
  • possible duplicate of [Salting Your Password: Best Practices?](http://stackoverflow.com/questions/674904/salting-your-password-best-practices) – Piotr Dobrogost Aug 04 '14 at 14:55

3 Answers3

10

Do neither, use a standard Key derivation function like PBKDF2. Never roll your own crypto. It's much too easy to get it wrong. PBKDF2 uses many iterations to protect against bruteforce which is a much bigger improvement than the simple ordering.

And your trick pre-calculating the internal state of the hash-function after processing the salt probably isn't that easy to pull off unless the length of the salt corresponds to the block-length of the underlying block-cypher.

CodesInChaos
  • 100,017
  • 20
  • 197
  • 251
  • Thanks for the hint on block lengths, I didn't even think about that. I guess that means that for cryptographic hashes like SHA-1 (512 bit = 64 byte blocks), there's no difference in prepending/appending the salt (unless salt is longer than 64 bytes), right?! – AndiDog Nov 13 '10 at 10:30
  • SHA-1 only has a size of 160 bits / 20 bytes. I don't claim to understand SHA1 well enough to say if there is a difference. But IMO both SHA1(salt+pw) and SHA1(pw+salt) are equally wrong. – CodesInChaos Nov 13 '10 at 10:40
  • I checked a SHA-1 implementation and it really does block processing only after one data block of 64 bytes is full, i.e. my trick is not applicable to short data such as passwords. Thanks for pointing this out. – AndiDog Nov 13 '10 at 13:25
1

If salt is prepended, attacker can make hash state database for salts (assuming salt is long enough to make a hashing step) and then run dictionary attack.

But if salt is appended, attacker can make such database for password dictionary and additionally compute only salt's hash. Given that salt is usually shorter than password (like 4 chars salt and 8 char password), it will be faster attack.

blaze
  • 4,076
  • 15
  • 20
0

You are making a valid point, of course; but , really, if you want to increase time it takes to calculate hash, just use longer hash. SHA256 instead of SHA1, for example.

cababunga
  • 2,975
  • 12
  • 23
  • 2
    Longer hash result doesn't necessarily mean the hash calculation takes longer. Actually, many hash algorithms were only accepted as de-facto standard because they're efficiently implementable. Increasing the calculation time could be done by key derivation functions (applying the hash 1000 times), for example, but the question was really about whether there's a specific reasons for choosing to prepend salts. – AndiDog Nov 13 '10 at 10:26