[MP2]

I'm reading up on password security, and I'm a bit confused about salting. If a rainbow table/lookup table can be made for all the possible passwords, surely if they know the salt for a password, they can create a table for it with every possible word plus the salt?

If I have this database:


* Obviously the plaintext passwords won't be stored :P

If I wanted to find out Steve's password, wouldn't I just be able to add the salt (which I know, because it's stored in the database..) to the rainbow/lookup table? For example I could check the following hashes:

"apple" + "FNkwqx4X" = bf9bbcf9faf59333a9467e878ef7e88c61ae3381ee7fb68522 1ba88a2bc127e2 (WRONG)
"grapefruit" + "FNkwqx4X" = f7213a8e2d934c14487daf5a4fac6d7e6a742f8982584cb1cf a6adb62e8a82cb(WRONG)
...
"banana" + "FNkwqx4X" = 969fb8ae699480dd843181b14c859c57c444d4e890f539080b aac03c8a90556f (CORRECT)

I must have the wrong idea. If someone could explain, thanks.

To get the hash, I just joined the strings like so: SHA256('bananaFNkwqx4'). Not sure if that's how it's meant to be done though.

[MP2]

Yes but in my example, if I wanted to know a single user's password and I had the hash of their password+salt and the salt, it'd be easy to get their password? How do you protect against that?

[MP2]

So it would take an hour for someone to find out Steve's password? Are there no methods to prevent this? My main concern isn't ALL passwords, but individual ones.

[ReneG]

You can try a combination of adding the salt at the beginning, the end, or two salts at the beginning and end. Find a combination that isn't really intuitive.

EDIT: You can also use a constant salt (that isn't stored in your database preventing a hacker from getting) along with a random one.

[MP2]

I see. I have an idea of what to do now, thanks.

[iLinx]

You can also just hash a hash (or as many times as you want).

[Edvin]

Never mind ...

[Kreatyve]

Why not split the player's name in half, hash both halves of the player's name, and 'salt' it to the first and last part of the player's password, lastly hash the new password.
It's what I do.

[MP2]

Surely no matter how you salt your passwords, they can be cracked using a rainbow table once you know the 'format'?

For example, going by Kreatyve's example:

Mike
'password'

Mipasswordke

In the table, the player's name and password hash are stored. If someone wants my password, all they have to do is make a rainbow table of 'Mi[?????]ke'. There's only one variable part. It's exactly the same as not having a salt at all.

How long exactly would it take to make a rainbow table anyway?