Random string vs hashed and salted string

Question

Say I want to create a password that is purely random, call it randPass of size 32 characters.

Is there any advantage in terms of security of using this directly as a password, vs hashing and salting it (like md5(randPass + salt)?

I mean at the end of the day, they will both be a 32 character long random characters.

Here is a dummy example:

salt = SFZYCr4Ul1zz1rhurksC67AugGIYOKs5;
randPass = VgQK1AOlXYiNwfe74RlU8e8E4szC4UXK;

Then the md5(randPass + salt) = md5(VgQK1AOlXYiNwfe74RlU8e8E4szC4UXKSFZYCr4Ul1zz1rhurksC67AugGIYOKs5) becomes

hash = dddbc2cbda808beeb7e64ce578ef4020

Answer 1

It depends on the specific usage of the string.

If the random string is truly random, then for immediate usage there is no advantage over a hashed and salted string (of the same byte length).

Theoretically, the hashed version can even be "less random" than the original random string, because an identical hash string for two different input strings likely exists (doesn't matter in practice).

But if you send the string over the network or store it in a database, you might want the same string "look different" under certain circumstances.

Adding salt

The same string always produces the same hashed string. You might not want that.

Adding a Salt will make the hashed string always be different with a different salt (even if the salt was known).

E.g.

• The same password will be stored as the same hash string in two different databases (so a hacker that knows one of them also knows the other, and might not know the original password).
• A hashed password that was captured when sent over the network might be sent again by an attacker.
• The same hashed message sent multiple times will always be the same string (which could make it easier to guess the original text).
• ...

Hashing

Simply hashing a random string can be used to just make it different to the original string (with or without salt).

E.g. you might send a hashed version of some code during an authorization process, then later send the original version in a different step (which simply has to be hashed again by the server to verify it).

If the first, hashed version was intercepted by an attacker, the attacker still can not use it for the second step.

(The same principle could of course be applied by hashing an already hashed string.)

Answer 2

By using a hash you are limiting the characters in the password.

Hash characters are: range(0,9) and range('a','f').

More characters is better.

If the password is to be submitted to a web page then the symbols should not include those commonly used in sql injection. (e.g. ",',%,\)
To eliminate symbols change range('!','@') to range('0','9')

Set your criteria for how many and what characters and symbols are allowed.
This algorithm uses upper case, lower case, numeric and symbols.
Length of 32 characters.

$characters = array_merge(
range('a','z'),
range('A','Z'),
range('!','@'));
shuffle($characters);
shuffle($characters);
$characters = array_flip($characters);
$ndx = 33;
$pass = '';
while($ndx-->1){
  $pass .= array_rand($characters);
}
echo $pass;

Answer 3

The main advantage of a RANDOM salt is that you cannot run a dictionary attack against the hash table since each password should have a different salt, thus "Password" and salt "jfadljfadiufosd38120809321" turns into "Passwordjfadljfadiufosd38120809321" which is definitely not in a pre-computed dictionary md5 hash dictionary so you cannot do a reverse lookup and figure out the users password.