-
What's a salted hash
What you need to know for this conversation is that with a hash function you can't derive the input from the output. If that were the only characteristic, modulo 10 would be a hash function. If the output is 3, you don't know if the input was 3, 13, 53 or 1003. Obviously that isn't useful for password systems as one in 10 guesses would get you a login. Actual hash functions have a rather larger number of possible outputs which are "scattered" so that knowing the result for "bed" doesn't help you guess the result for "bee".
So the basis of most password systems is the storage of the output of a hash function applied to the password.
Time was, it was enough to simply store the hash. Even if somebody stole the password database, they couldn't just work backwards to the passwords. They'd have to a) know the hash function used (although there are only a few ones in common use) and b) run all the possible character combinations through the hash function until they found a match.
Then Moore's Law kicked in and it became quite feasible to do this. Particularly if you had the whole password database, since you could crack all of the passwords in one pass. So a randomly-chosen short sequence of bytes - the salt - would be added to the password before it was hashed. The salt would be stored alongside the password - which might seem unhelpful but the aim isn't to make one password harder to crack but to make a password database much harder to crack in a single pass, since for each possible password sequence you now also have to try each possible salt.
Even today, storing passwords in plain text is surprisingly common in incompetent/careless/unprincipled businesses.
Agreed to the one upmanship, let's just say that we are having a nice chat? For the benefit of other people reading this, rather than for ourselves.
Anyway, for those who may not realise it:
Don't reject any characters in passwords.
Don't put a (needless) upper limit on the length of passwords.
Do hash your passwords before storing.
Do salt your hashes.
Do store the salted hashes in the DB.
Do ensure that your DB can store any value created by your hash function.
Do compare hashes when authenticating.
Whatever else I have forgotten.