To Salt or Not To Salt? — Salting is not the only answer to securing passwords

It was recently released that LinkedIn failed to salt its passwords in the 2012 hack, and while salting would have increased the time it takes to crack a salted hash, it is merely a bump in the road if users use passwords such as “123456”.

Why? Because the salt is typically stored with the hashed password, so if the user selects “123456”, the cracker just selects a dictionary with this password and then adds the salt, and compares it. Every one of these passwords, from the LinkedIn password breach in 2012, would have been cracked almost instantly on standard GPU hardware (such as with an NVIDIA graphic card or from an AWS GPU instance).

You don’t have to be Eve The Magician to realise that if I tell you that my password is “qwerty”, and you take a hash signature of it to get: “B1B3773A05C0ED 0176787A4F1574FF00 75F7521E” [here], and then I tell you I’ve used a salt value of “64gfc*w”, and you quickly take a hash of “64gfc*wqwerty” and get: “DAA903ACDA75 D0FEDDEFED1FE 39825EDB42D9991” [here]. If the salt is stored with the hashed value, it is of little use with easily guessed passwords.