OpenSSL - Password vs Salt Purpose
When encrypting a file with OpenSSL, it is possible to use -pass pass:mySillyPassword, where mySillyPassword is the password used in encryption. In addition, it is possible to use a salt, where -salt -s (hex string) is used to specify the salt.
Why would someone want to use a password instead of the salt or in conjunction with a salt? Also, I understand just using the -salt command will cause OpenSSL to generate a salt. How is this better than a user-defined salt? If OpenSSL randomly generates a salt, how will the user know what the salt is to decrypt the file in the future?
Answer
In OpenSSL, the salt will be prepended to the front of the encrypted data, which will allow it to be decrypted. The purpose of the salt is to prevent dictionary attacks, rainbow tables, etc. The following is from the OpenSSL documentation:
Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.
The documentation suggests that a salt always be used with a password, except if compatibility with earlier versions that do not support a salt is neccessary.