Hey everyone! I'm curious about password management and storage today, as it seems outdated information is still floating around. I've come across some older posts that suggest storing salt from /dev/random in plaintext alongside hashed passwords (using SHA256 of salt + password). However, I'm wondering if that method is still safe? If a system gets compromised, could someone still use a rainbow table against the SHA256 hashes and exclude the salt? Also, how do modern companies set up and manage passwords securely in 2025? I'm looking for a practical example of how this might work, considering security best practices. Thanks!
2 Answers
Actually, the purpose of using salt is to prevent rainbow table attacks. If you use plaintext salt combined with a SHA256 hash of the password and salt, it's much harder to crack, even if both are exposed. The salt's uniqueness for each password is a key security feature.
You can check out the OWASP Password Storage Cheat Sheet; it has the latest recommendations. The TL;DR is to use Argon2id or PBKDF2 for hashing your passwords. These methods ensure better security than traditional methods.
Thanks for the recommendation! I'll definitely look into those. It’s good to know there are more secure options out there.
Got it! So even if someone got both the salt and hash, they still wouldn't be able to reverse it, right? That makes sense. What are some tools or programs used in 2025 for this? I'd love to know how it's implemented.