What is "salt" when relating to MYSQL sha1?

Noah R picture Noah R · Dec 4, 2010 · Viewed 25.7k times · Source

What is "salt" when relating to MYSQL sha1? I have no idea what salt is when relating to sha1 password encryptions? Can someone please explain what it is?

Answer

cfeduke picture cfeduke · Dec 4, 2010

A salt is a value that is added to a password (or other secret) which you want to hash one way. This means it could be before, after, or somewhere inside the password, as long as its position and value is consistent for a given supplied password.

What this does is it mitigates dictionary attacks - basically dictionaries of common passwords pre-hashed with no salt - from being used to "guess" a one way password as long as the attacker does not know the hash. If every password has a different hash then it makes it very difficult for an attacker to create a dictionary optimized for cracking your passwords (they would need a dictionary for each separate salt and they would also need to know where the salt was placed in each password).

Of course for all of this to be applicable an attacker must have the hashes of your passwords in the first place. This has nothing to do with attacking passwords by guessing them through some input prompt.

Regarding MySQL specifically if you provide a salt when hashing a password, make sure you record what that salt was somewhere. Then when a user attempts authentication you combine that recorded salt value with the password (during the call to crypt for example) and if the resulting hash matches then they have entered the correct password. (Note that at no time is the hashing of a password reversed; thus one way.)