2

I always hear that MD5 is too fast for effective password crypto because you can crack up to 6 characters very quickly (or is this number higher now)?

But what if the salt you use is really long and complex? Doesn't this compensate in some way for the fast hash function?

  • 4
    Possible duplicate of [Is MD5 considered insecure?](https://security.stackexchange.com/questions/19906/is-md5-considered-insecure) – kenorb Oct 11 '17 at 22:37
  • 1
    I don't see how this question would be a duplicate. It is much more specific, and starts off with the assumption that MD5 is indeed insecure. – Anders Oct 18 '17 at 13:52

2 Answers2

5

Not at all. The salt is expected to be known and it adds no significant complexity unless you are using a salt that is measured in megabytes. The point is that you need to slow things down and the salt is only appended to the password. Unless you make the input data majorly longer, it won't slow the algorithm down significantly.

Even with a super, super long salt, the way you apply it to the password would be key too in order to prevent the state of the MD5 process from being saved and minimizing the amount of effort required to perform the hash.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
  • @user2175923 - A salt CAN'T be in the source code as it MUST be random for each hash or it is completely worthless. The attack you describe assumes that the attacker has the hash values, which means the DB was compromised, thus salts are also compromised. When you apply a salt, you combine the password input and the salt together to form the input that you hash. If you are relying on length of input to slow down hash collision attempts, then you need a long input that can't be optimized from case to case in order to guarantee that it actually makes each hash slow enough. – AJ Henderson Jun 18 '14 at 13:37
  • @user2175923 - It seems you don't understand the attack you are trying to protect against. The attack you are describing in your question is where an attacker already HAS the hash values stored in the DB for each user and is trying to figure out the password from that. They hash a bunch of possible values and look for a match. If they are able to even attempt this attack, it means that the DB had to be compromised to get the hash values. It would be silly to assume they didn't also grab the salt values while they were there. Salting is a protection for in case the DB is compromised. – AJ Henderson Jun 18 '14 at 13:43
  • Salting hashes are used to prevent attacks by hackers who have already obtained the hashes, and possibly the salts. The salts are stored in the databases, along with the hashes, and could safely be made publicly available. They are different for each password hash. The idea is so if you use a common hash method such as MD5, you can look up in a reverse hash table the hash you found. For example, if your password is "password", looking its hash up in a table of generated hashes finds the original password. With salts, you're getting the hash of something that's most likely not in any table. – Phoenix Logan Jun 18 '14 at 13:56
2

The only property of the salt is to be unique -- really unique, i.e. each hashed password has its own value (that's not one salt per server, but one salt per user, and a new one when the user changes his password). The salt is not secret.

The role of the salt is to thwart cost sharing between several attack instances; e.g. when the attacker has several hashed passwords to crack and want to optimize things. The salt does not help at all for the resistance of a single password; what it ensures is that attacking 1000 hashed passwords costs 1000 times attacking one. In particular, salts prevent usage of precomputed tables, e.g. rainbow tables (precomputed tables are one type of cost sharing).

If you use a salt with some other properties (e.g. a "secret salt") then it is not a salt.

For an introduction on password hashing, read this.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • If there is a single hashed password, and the attacker has the hash value (and salt), then the attacker can run an _offline dictionary attack_ (i.e. the attacker works on his own machines) and, indeed, only the algorithm slowness will stand between the attacker and the password. Good password hashing functions include _both_ a salt, and a "configurable slowness" (with some sort of iteration count or something similar). – Tom Leek Jun 18 '14 at 14:29
  • When a salt is secret, it is called [pepper](https://en.wikipedia.org/wiki/Pepper_(cryptography)). – Yeti Aug 08 '18 at 07:27