Why is the salt not more than 8 ~ 16 characters long?
Also, why in most cases is it in the front or end of the password, and not in different positions?
Is this to make it harder for the breaker? Or is it useless?
Asked
Active
Viewed 174 times
0
-
You should read [the wikipedia article](https://en.wikipedia.org/wiki/Salt_(cryptography)) first. It explains, for example, that the salt is stored in clear text with the hashed password+salt. Hence, making the salt longer than ["long enough"](https://stackoverflow.com/questions/184112/what-is-the-optimal-length-for-user-password-salt?rq=1) is not necessary, and neither is changing its position. It simply doesn't matter. Keep in mind what the purpose of salt is (defending against dictionary attacks/rainbow tables). – Malte Hartwig May 09 '18 at 14:30
2 Answers
0
Because more salt doesn't serve a useful purpose.
The point of salt is to prevent some parallel attacks from working in a reasonable amount of time/memory, and/or drive space. (You can no longer have a table that says Hash A => Password A, because even if you had enough disk space to construct a rainbow table, the salt makes the number of possible entries way beyond feasibility. And you can no longer hash a potential password once and compare it against a bunch of hashes at a time, because the salt is quite likely to be different for each hash.)
16 characters gives you somewhere between 10^16 and 96^16 times as many possibilities, which already fits the definition of "way beyond feasibility". Past a certain point, you're simply increasing your own storage requirements for no significant benefit.
cHao
- 78,897
- 19
- 136
- 168
0
The salt of 8 characters is enough against any imaginable in real life dictionary attack, it makes any dictionary or rainbow table useless.
Vladimir.V.Bvn
- 542
- 1
- 7
- 10