Salting Hashes - why is the salt treated by the literature as being known to Eve?

Question

The title says everything. I don\'t understand: why you shouldn\'t keep your salt a secret like the password. Or did I misunderstand something?

Answer 1

You should keep your salt a secret for the same reason that you salt in the first place.

Hackers can and have created Rainbow Tables whereby they hash using (md5, sha1, sha256, sha512, etc.) a list of the top 1,000 or so most common passwords.

If a hacker manages to get a hold of your database... its good that your passwords are hashed, but if they do a quick comparison and find a hash that matches one they have in their list, they know what the password is for that account.

The key to them doing the hack, is having that rainbow table handy. If you've added a salt, their rainbow table is useless... but if you make the salt east to find or you share it with others, then the hackers can re-build a new rainbow table using your salt.(*) e.g. you've made it easier for them to hack.

(*) Note this is a little harder than described, since the hacker may not know if you added the salt as a prefix, suffix, both, etc.