tags:

views:

85

answers:

2
+2  Q: 

Is prepending salt to the password instead of inserting it in the middle decreases security?

Hi,

I've read somewhere that adding a salt at the beginning of the password before hashing it is a bad idea. Instead, it is much more secure to insert it somewhere in the middle if the password.

I don't remember where I've found this, and cannot neither find any other articles saying the same thing, nor understand why this may increase security.

So is it true? Or it really doesn't matter from security perspective? If the assertion is true, can somebody explain why? Is it valid only for weak hashes like MD5/SHA1?

+2  A: 

It would potentially be slightly more secure, but negligibly. I wouldn't worry about it and just prepend it for simplicity's sake. Almost every company I've worked for didn't even use a salt, so you are already more secure than most.

The chances of a hacker with a hash stolen from your database or a man-in-the-middle attack that has a salt applied is very unlikely to be found as opposed to un-salted hashes which can potentially be cracked easily with rainbow tables.

Matt Williamson  2010-08-08 04:26:50
Of course. I am just curious about understanding why, in theory, is it more secure.
MainMa  2010-08-08 04:32:32
It is [very slightly] more secure because an attacker trying to brute force guess the salt would probably prepend it as that is the typical usage.
Matt Williamson  2010-08-08 04:34:48
Ah. I see. Thank you.
MainMa  2010-08-08 04:41:36
You're welcome.
Matt Williamson  2010-08-08 04:57:53
+1  A: 

In other applications, when using an HMAC, both prepending and appending the secret key are vulnerable to different types of attack. Neither of these apply to salting a password hash, though, so either one should be satisfactory.

Nick Johnson  2010-08-08 13:02:19

related questions

How to transition to Functional Programming
List of the top Programming "shows"
How to contribute code back to an Open Source project?
What is Test Driven Development (TDD)?
pass by reference or pass by value?
Could you recommend a good free project hosting website?
Writing A "Conway's Game of Life" Program
Learning to write a compiler
How can I modify .xfdl files? (Update #1)
Followup: "Sorting" colors by distinctiveness
Followup: Finding an accurate "distance" between colors
Windows Help files - what are the options?
A little diversion into floating point (im)precision, part 1
Internationalization in your projects
Efficiently get sorted sums of a sorted list
Format string to title case
GUI Programming APIs
Using combinations of sets as test data
What books would you recommend for a beginning Software Developer?
The Definitive Guide To Website Authentication
What is your solution to the FizzBuzz problem?
Generate list of all possible permutations of a string
When to use unsigned values over signed ones?
Function for creating color wheels
Fastest way to get value of pi