generacodice.com/en/articolo/175462/sales-y-contraseรฑas—prefijo-o-de-sufijo
unlike what others said, it does matter! and as @einstein if you care useย HMAC
.
why prefix is bad, because one can calculate the intermediate state of the checksum up to the given fixed salt prefix. then start calculating the rest in parallel. In summaryย phrase+salt
ย is more secure thanย salt+phrase
, butย HMAC(salt, phrase)
ย is even better.
!! https://www.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks
https://blog.silentsignal.eu/2015/09/17/finding-the-salt-with-sql-inception/