📖 What is Salt (Cryptography)?
Salt is a random string of data added to a password before it is hashed to protect against rainbow table attacks. By ensuring that identical passwords result in different hashes, it forces attackers to crack each password individually.
"Remember that salting prevents pre-computed attacks (rainbow tables), but it does not prevent brute-force or dictionary attacks on a single hash."
📚 Certification: Certified Information Systems Security Professional (CISSP)
🔑 What are the Key Concepts of Salt (Cryptography)?
- ▸ Rainbow Table Mitigation: Salting renders pre-computed hash tables ineffective because attackers must generate a new table for every unique salt value used.
- ▸ Unique Per-User Salts: To maximize security, each password should have its own random salt, ensuring identical passwords result in unique hashes.
- ▸ Storage and Retrieval: Salts are stored in plaintext alongside the hash in the database, as they are not secrets but uniqueness modifiers.
- ▸ Concatenation Process: The salt is appended or prepended to the plaintext password before the hashing algorithm is applied to the combined string.
- ▸ Integration with Stretching: Salting is typically combined with key stretching algorithms like PBKDF2 or bcrypt to increase the computational cost of cracking.
🎯 How does Salt (Cryptography) appear on the CISSP Exam?
You may be asked to identify the most effective defense against rainbow table attacks in a scenario where a database of password hashes has been leaked to an external adversary.
A scenario might describe a security architect designing a password storage mechanism. You will need to explain why per-user salts are superior to a single, system-wide salt for preventing bulk cracking.
Expect questions where you must distinguish between salting and peppering, specifically focusing on the storage location of the value and whether it is intended to be a secret.
❓ Frequently Asked Questions
Does salting protect against brute-force or dictionary attacks?
No, salting only prevents pre-computed attacks like rainbow tables. An attacker can still attempt to brute-force a specific hash, although they must do so individually for every salted account.
Since the salt is stored in plaintext, doesn't that make it useless?
No, the salt's purpose is not secrecy, but uniqueness. By ensuring no two identical passwords have the same hash, it forces attackers to compute hashes for each user individually.
What is the primary difference between a salt and a pepper?
A salt is unique per user and stored in the database. A pepper is a secret value shared across all users and stored in a separate secure location, like an HSM.