[Owasp-codereview] Adding Salt?

Nam Nguyen namn at bluemoon.com.vn
Tue Mar 3 08:09:06 EST 2009

Hello Zaki

Salts are usually generated by the application, not by the users.

If salts were users' inputs, they would provide no more security than any other passwords.

So, salts are saved together with users' records and only the app knows about these salts. The app uses them in calculating salted password hashes.


On Tue, 3 Mar 2009 18:10:18 +0700
Zaki Akhmad <zakiakhmad at gmail.com> wrote:

> Hello,
> I don't understand[1], how we compare hash result from the password
> (after it has been concatenate with salt) with the hash value? Isn't
> it the user must enter the "salt value" after he/she enter the
> password in order to get the same hash value?
> Illustration:
> password: abcde
> salt: 01
> hash (password+salt) = qwertyqwerty
> But the user never enter the "salt value". CMIIW.
> -- 
> Zaki Akhmad
> [1]http://www.owasp.org/index.php/Hashing_Java#Why_add_salt_.3F
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview

Nam Nguyen
Blue Moon Consulting Co., Ltd

More information about the Owasp-codereview mailing list