• Downcount@lemmy.world
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    Additional to what others have said: The “salted” part is very relevant for storing.

    There aren’t soooo much different hashing algorithms people use. So, let’s simplify the hashing again to the crossfoot example.

    Let’s say, 60% of websites use this one algorithm (crossfoot) for storing your password, and someone steals the password “hashes” (and the login / email). I could ran a program that creates me a list of all possible crossfoots for all numbers for 1 to 100000.

    This would give me an easy lookup table for finding the “real” number behind those hashes. (Those tables exists. Look up “rainbow tables”)

    Buuuut what if I use a little bit of salt (and pepper pepper pepper) before doing my hashing / crossfooting?

    Let’s use the pw “69” again and use a salt with a random number “420” and add them all together:

    6 + 9 + 420 = 435

    This hash wouldn’t be in my previous mentioned lookup table. Use different salts for every user and at least the lookup problem isn’t such a big problem anymore.