-1

In this question on this board the author of the selected answer states the following.

If you, as an attacker, manage to extract hashes and salts from a database, you probably either find a way to extract the password hashing algorithm of the website or you just create a new account with a known password, extract the hash and salt for it and brute force the algorithm that was used to compose the final hash - ckck

Knowing this if we were to hard code the positioning of our salt it is just as good as placing it at the end of the password.

But if we were to generate a pepper limited to the length of our password would placing our salt at that index be any better?

The server will know the password so it only has to do maybe 10 or so more hash's that already only take milliseconds so it shouldn't impact login time that much.

Morgan Brown
  • 3
  • 1

1 Answers1

0

As the scenario states, it is reasonable to assume that an attacker capable of extracting hashed from the database is also capable of obtaining the code that does the hashing.

Your approach may hinder an unskilled attacker, but once they have the encryption code it is trivial to alter their cracking tool to match your algorithm.

The best defence against offline brute force attacks is using a time costly algorithm like bcrypt or scrypt

wireghoul
  • 5,755
  • 2
  • 17
  • 26