Salt vs Long Password

Salt is not as secure as long Password because salt is saved on server.

The problem short passwords face without salt is this: With access to rainbow table (kind of password-hash map), and the hash of password, a table look up returns the plain password, which is either your password, or a password the computer thinks is yours (collision).

Longer password requires a bigger rainbow table, and is therefore safer. However, people don’t like long password, and that is when salt comes into play. The server says to the user, “I will add some letters to your password but I will remember the added part so that you don’t have to”. The added part is the $SALT. Now we don’t have to remember the whole long password, at the cost that $SALT is no secret, because it’s saved by the server.

Here is a command I tried on my Ubuntu. As seen from this line in /etc/shadow, which is for password ‘mypass’: $6$3zTDsuzi$00giYxlM8HUtmuH3qBC0J0IgDzOg8hKzUZZwjb.3lKRWvtwTikVECguVpaO3b.CGpNQYCc5EnRVEsDudt1eOU1      Salt is 3zTDsuzi, and algorithm is sha-512.  This command: $python -c ‘import crypt; print crypt.crypt(“mypass”, “$6$3zTDsuzi$”)’ returns: $6$3zTDsuzi$00giYxlM8…, which matches the line in shadow file.