How much salting is really required?

[Topazan]

I'm planning to use a compiled backend, so hiding the salt value is less of a problem.  What I'm wondering is what's a good rule of thumb for how many bytes should be added to the hashed strings?  Does it matter if it's added to the beginning or end of the string?

[Sagefire135]

i would think that a longer salt is always better (harder to get lucky and figure it out) of course 100 characters would just be overkill. The best place to add a salt is probably right in the middle of whatever you are salting.  if your password is wolverine and you just add salt to either end, (wolverinesalt) 'wolverine' is still in there and someone using every common word will have an easier time cracking it than if you put the salt in the middle (wolvsalterine). to the best of my knowledge, that isnt a common word

if you wanted to go a step further, alternating characters between the password and the salt (woslvaerlinte) would make it even harder to just guess.

[Topazan]

I guess that makes sense.  I was worried about a performance hit, but I suppose it doesn't really matter since checking passwords isn't something you do continuously.  Alright, thanks.

[Harkins]

A couple bytes is fine. The goal with a hashing algorithm that a change to any input bit should change half of the output bits, so a little goes along way - you're just trying to defeat rainbow tables. Placement doesn't matter, so just tack it on the end.

[Topazan]

That makes sense, thanks.

[133794m3r]

That makes sense, thanks.

also if you're going to hash use sha256 since there are to my knowledge no rainbowtables for it. And yes a few bytes will be enough to deter some people. I personally would say adding ~10+ characters. But i'm very paranoid. If you want a program to generate this for you, you can check my other post in this section(i think i'ts in here) it's the one talking about a quick program but no go. Here's the link. http://community.bbgamezone.net/index.php/topic,2673.0.html

Remember md5 hashing=rainbow table attacks. Even if they can't use rainbow tables as their only effort, hashing there is still alot faster, and alot easier to do than sha256. Yes it'll take up a bit more space in your tables but it's fast and effecient if you wanted everything to be nice and fast. Personally though, after my discussion there using the Crypt() function and the blowfish crypt would be better since it's much harder for them to get at it.

But this is all coming from someone who wants to make sure that no one if they get into my databases can do anything with them save literally hacking my server and gaining full root control.(that's why my root accounts will be having ~30 character length passwords of random jibberish text).

[raestlyn]

pfft, be a real man and do not encrypt the password No-one sees that coming and will be unable to break them as they are expecting some sort of hashing.

(no, I'm not serious.)