views:

85

answers:

2

Hi,

I've read somewhere that adding a salt at the beginning of the password before hashing it is a bad idea. Instead, it is much more secure to insert it somewhere in the middle if the password.

I don't remember where I've found this, and cannot neither find any other articles saying the same thing, nor understand why this may increase security.

So is it true? Or it really doesn't matter from security perspective? If the assertion is true, can somebody explain why? Is it valid only for weak hashes like MD5/SHA1?

+2  A: 

It would potentially be slightly more secure, but negligibly. I wouldn't worry about it and just prepend it for simplicity's sake. Almost every company I've worked for didn't even use a salt, so you are already more secure than most.

The chances of a hacker with a hash stolen from your database or a man-in-the-middle attack that has a salt applied is very unlikely to be found as opposed to un-salted hashes which can potentially be cracked easily with rainbow tables.

Matt Williamson
Of course. I am just curious about understanding why, in theory, is it more secure.
MainMa
It is [very slightly] more secure because an attacker trying to brute force guess the salt would probably prepend it as that is the typical usage.
Matt Williamson
Ah. I see. Thank you.
MainMa
You're welcome.
Matt Williamson
+1  A: 

In other applications, when using an HMAC, both prepending and appending the secret key are vulnerable to different types of attack. Neither of these apply to salting a password hash, though, so either one should be satisfactory.

Nick Johnson