Salt

NZ_Kiwis

So if I hash a password with sha1 (forgetting the pros and cons of each hash). And I store my salt in the user table as well, do I hash the salt?

If so how do I compare my posted password vs stored hashed password +salt?

For example

if (sha1($_POST['pw']) + salt which is already hashed == $row['pw'] + $row['salt'])??? How does salt make this more secure?

I know there is another I started on this buts in broken into other conversation so keeping it specific I started a new thread.

bradgrafelman

Keeping it simple (and repeating what was said a few times in the other thread, most recently and cleanly by laserlight):

Generate a salt, append it to the user's password, store the salt and the computed hash of the (salt + password) combination. To then check a given password, retrieve the salt, append it to the given password, compute the hash, compare that computed hash value to the one stored in the DB.

dalecosp

NZ_Kiwis;11030197 wrote:
How does salt make this more secure?

It makes it harder for certain types of attacks to decipher your encrypted passphrases.

Wikipedia wrote:
The original intent of salting was primarily to defeat pre-computed rainbow table attacks that could otherwise be used to greatly improve the efficiency of cracking the hashed password database. A greater benefit now is to slow down parallel operations that compare the hash of a password guess against many password hashes at once.