Salt Alone Won't Save You

Salting password hashes is important, but not enough on it's own

Discuss The Problem

Here are some entries from a recovered password database.


The hashes use a strong salt but lucky for us the hashes were computed with just one iteration of a cryptographic hash function. Some of the passwords are present in the rock you password list. Recover the passwords that are in the rockyou list and submit them concatenated alphabetically.

The hash function used:

function hash(salt, password):
    hash_val = sha256(password | salt) # | denotes concatenation
    return '$' | salt | '$' | base64(hash_val)

Test Vector

Given these hashes
We can see that the first was created from jo353ph, the second was created from a password not contained in the rockyou list, and the third was created from asiomas. So the solution would be asiomasjo353ph.