What's the point of storing a password's salt?

Question

With Blowfish, what's the point of storing the salt since we can extract it from the hash?

$hash = crypt($password, $salt);

To get the hash we can use

substr($hash, 0, 28)

or

substr($hash, 0, 29)

I don't know if the dot is from the salt or the hashed password though.

There is no point, I believe people store it because they don't know how to handle crypt functions. — dev-null-dweller, Jul 20 '13 at 22:50

score 0 · Answer 1 · answered Jul 21 '13 at 22:17

A salt value is used to make "rainbow table" attacks harder. Without a random salt a password would always produce the same hash and if you could "aquire" a password database full of those hashes you could easily check them for the known hashes of e.g. the top100 most used passwords. With a salt you can of course try those too but you have to call the hash function for each salt and that takes a lot of time as hash functions are designed to be "slow" to make brute force attacks hard.

What's the point of storing a password's salt?

1 Answers1