I researched password hashing and cracking and I have some misconceptions:
First rule of thumb to create a strong password is to use 10+ combination of digits/upper/lower/symbols to prevent brute force attacks. Then the problem will be only if the password is a member of a pre-made table (whether it was long or short password).
Let’s say the password is QWERTY and assume that:
Hash(QWERTY) = $ $ $ $
Hash(QWERTY+134565654) = ####
Hash(QWERTY+876964786) = &&&
And let’s think about how salt will help:
For brute force:
The unsalted one $ $ $ $ is easy to brute force
The salted ones #### and &&& are harder to brute force because they are longer and even if they were brute-forced the hackers won’t know the password unless they have the salt
For rainbow tables:
The unsalted one is easy to look in rainbow table with $ $ $ $
The second one when you look for a rainbow table for #### you won’t find anything
For rainbow tables, if the hacker has the salt when he broke the database: The hacker has #### and has 134565654 The hacker will need to implement a new rainbow table for all the known passwords with appending 134565654 to them until he finds that #### matches QWERTY+134565654 and knows the password
Since every user has their own salt, cracking User1 password from creating a 134565654 specific rainbow table, won’t help the hacker to know that User 2 has the same password, so the hacker will need to do another 876964786 specific rainbow table for this user
It takes longer time to crack 1 password but isn’t it still feasible with modern GPUs allowing to create fast Rainbow tables?
Unlike the previous example (where the salt would be stored in a separate column for example) bcrypt computes the salt through rounds (say 10), so it runs the slow bcrypt hashing algorithm 10 times on the password before storing in the database and before verifying user login.
Since the bcrypt algorithm is known, why wouldn’t hackers create a bcrypt rainbow table for each round? So this way they will create just 31 bcrypt rainbow tables for the common and short lengths passwords?
If what I’m saying is true, does this mean that salting helps only against brute force without salt value exposed, but doesn’t really help against strong GPUs with the salt value?