The salt is stored in the same table as the hash. All the salt does is prevent super easy rainbow table attacks. You can still attack the passwords with brute force. Most people still use simple passwords that barely satisfy password requirements like password1!. There are freely available cracking algorithms that target the same “clever” password patterns that everyone uses. It greatly reduces the time it takes to crack passwords, and if you have a table with a million passwords in it, it’ll only take a couple days on a few GPUs to crack 15,000 of the simpler ones.
Assuming the hashes aren’t salted. Salting has been standard for years if not decades at this point.
But of course that won’t stop people from rejecting mature libraries and rolling their own insecure implementations.
My doctor says I should reduce my cholesterol and sodium intake. No salted hash for me, thanks.
The salt is stored in the same table as the hash. All the salt does is prevent super easy rainbow table attacks. You can still attack the passwords with brute force. Most people still use simple passwords that barely satisfy password requirements like
password1!
. There are freely available cracking algorithms that target the same “clever” password patterns that everyone uses. It greatly reduces the time it takes to crack passwords, and if you have a table with a million passwords in it, it’ll only take a couple days on a few GPUs to crack 15,000 of the simpler ones.