Can you find the salt if you have the original password in plaintext and the hashed version?

Question

Suppose that I have a password in plaintext. I also have the hashed version of the password. Say it uses MD5. Is it possible to find out what the salt is given the above information? I'm guessing not?

Answer 1

No. It's impossible to find the salt if you don't already have it unless something is seriously broken or unusual.

You may already have the salt because it's common practice to store the hash together with the salt. Many password hashing interfaces even output a hash string which contains the “real” hash, the salt, and additional metadata identifying the algorithm and the iteration count. For example, the output of the Unix crypt() function looks like $5$salt$hash where 5 identifies the hash algorithm, salt is the salt encoded in Base64 and hash is the output of the underlying function also in Base64. The PHC string format, promoted by the Password Hashing Competition, has a very similar format.

But if all you have is the hash itself, then for anything remotely resembling a proper password hash and even for most things that aren't, the only way to find the salt is by trying every possibly salt until you find the right one, just like the only way to find the password is by trying every possible password until you find the right one. Even something broken like MD5(password + salt) (broken as a password hash because it's far too fast) makes it impossible to find the salt without guessing it. That's preimage resistance, and even hashes like MD4 and MD5 that are badly broken with respect to collision resistance still have preimage resistance.

With the password, guessing is a real risk: most users choose passwords that are at best a slightly modified dictionary word, which can be guessed in seconds of computer time with a broken hash like MD5 and may still be barely manageable but slow with a properly slow hash. But the salt is not chosen by a human. It's usually generated randomly so brute force among all possibilities is the only way. And it's usually long enough that brute force is not feasible. You'll only realistically be able to find the salt if either it wasn't generated randomly (or with a non-cryptographic random generator, or with a badly seeded generator), or if it's too short for comfort.

Answer 2

If the hash function is preimage resistant, then it's hard to find any input that hashes to a randomly selected given result. In this case it's not a randomly selected result because we know part of the input, but that doesn't make guessing the salt any easier.

Disclaimer #1: MD5 shouldn't be used anymore because its collision resistance has been utterly broken, but its preimage resistance hasn't been broken in practice so far.

Disclaimer #2: People should only ever be hashing passwords with specialized password hashing functions like Argon2, bcrypt or PBDKF2. Concatenating a salt and password yourself and passing it to any plain old hash function is a bad idea.

Answer 3

This question has already been answered over on Information Security SE.

Short answer: Possible but difficult.

The time and resources it would take would likely not be worth it, since best practice is for a salt to not be intentionally reused.

From Auth0:

The salt doesn't need to be encrypted, for example. Salts are in place to prevent someone from cracking passwords at large and can be stored in cleartext in our database next to the hashes. However, we do not want to make the salts readily accessible to the public.