Say I want to create a password that is purely random, call it randPass
of size 32 characters.
Is there any advantage in terms of security of using this directly as a password, vs hashing and salting it (like md5(randPass + salt)
?
I mean at the end of the day, they will both be a 32 character long random characters.
Here is a dummy example:
salt = SFZYCr4Ul1zz1rhurksC67AugGIYOKs5;
randPass = VgQK1AOlXYiNwfe74RlU8e8E4szC4UXK;
Then the md5(randPass + salt) = md5(VgQK1AOlXYiNwfe74RlU8e8E4szC4UXKSFZYCr4Ul1zz1rhurksC67AugGIYOKs5)
becomes
hash = dddbc2cbda808beeb7e64ce578ef4020
The main advantage of a RANDOM salt is that you cannot run a dictionary attack against the hash table since each password should have a different salt, thus "Password" and salt "jfadljfadiufosd38120809321" turns into "Passwordjfadljfadiufosd38120809321" which is definitely not in a pre-computed dictionary md5 hash dictionary so you cannot do a reverse lookup and figure out the users password.