Many recommendations for storing passwords recommend
hash(salt + password) rather than
hash(password + salt).
Doesn’t putting the salt first make it much faster for the attacker to bruteforce the password, because they can precompute the state of the hashing function with the bytes of the salt, and then each time of their billions and trillions attempts they only need to finish calculating the hash using the bytes of the password.
In other words, each bruteforce iteration needs to calculate only the hash of the password
intermediateHashState(password) instead of the whole
hash(salt + password).
And if the salt was placed after the password, the attacker wouldn’t have this shortcut.
Does this advantage exist and is it significant?