I’ve been doing some research about securely storing passwords in a database. It is generally suggested that you use a salt. As explained in one of the answers in Secure hash and salt for PHP passwords, this changes the value of hashes, making a password more difficult to compromise.
As part of the verification mechanism, the password entered by the user is combined with the salt and hashed as needed. Given that the salt is transparent to the user, how does using salt provide any added benefit?
As I see it, with or without hashing, the same password will successfully authenticate you, because the plumbing that makes it different will take place behind the scenes. That is why none of the articles I’ve read so far have clarified things.
consider a scenario, where you accept a password from you user and you are sending it over network or storing in database as plain-text.
if your user enters a password say 6-8 characters long. A hacker may have pre-generate hashes for all possible strings of 6-8 characters length and he can possibly deduce the password, by comparing it with your hash.(Matching your hash against all the pre-generates hashes, he can get a set of possible candidates,if collision occurs)
But if you append a salt of say 30 chracters to his plain-text password and then hash it. it becomes very difficult for any hacker to pre-generate all the possible combinations of that range. That is the main reason why we use a salt.
You cant restrict every user to input a 30 character long password for security purposes. if any user chooses a 4 char length password, just add 30 char salt and make it more secure.