Passwords and the need for a random salt.

Question

Created Sep ’20

Replies 1

Boosts 0

Participants 2

Hi. I have a question about whether or not a random salt is necessary when there is no centralised database for hackers to attack. It's pretty clear that it's necessary when there is, but is it important when the users simply backup their data to a password encrypted file in a place of their choosing?

Is it possible for someone with malicious intent to extract a hardcoded salt from a compiled app?

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’20

[is] random salt … necessary when there is no centralised database for
hackers to attack.

Absolutely. Without random salt it’s much easier to map a leaked password hash to a password, and that allows for various forms of privilege escalation (not least of which is that the user might have reused that password in other environments).

Is it possible for someone with malicious intent to extract a
hardcoded salt from a compiled app?

Yes. Do not hardcode salt. Rather, generate random salt and store that next to the password hash.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0