Optimal password salt length

Posted by Juliusz Gonera on Stack Overflow See other posts from Stack Overflow or by Juliusz Gonera
Published on 2010-06-12T13:41:16Z Indexed on 2010/06/12 13:42 UTC
Read the original article Hit count: 302

Filed under:
|
|
|

I tried to find the answer to this question on Stack Overflow without any success.

Let's say I store passwords using SHA-1 hash (so it's 160 bits) and let's assume that SHA-1 is enough for my application. How long should be the salt used to generated password's hash?

The only answer I found was that there's no point in making it longer than the hash itself (160 bits in this case) which sounds logical, but should I make it that long? E.g. Ubuntu uses 8-byte salt with SHA-512 (I guess), so would 8 bytes be enough for SHA-1 too or maybe it would be too much?

© Stack Overflow or respective owner

Related posts about security

Related posts about cryptography