HW/FW security researcher & Demoscene elder.
I started having arguments online back on Fidonet and Usenet. I’m too tired to care now.
No, it most definitely does not need to be private. The idea with salt is to invalidate rainbow tables. If you’re “keeping it private” it’s just another password.
The salt and the password (or its version after key stretching) are concatenated and fed to a cryptographic hash function, and the output hash value is then stored with the salt in a database. The salt does not need to be encrypted, because knowing the salt would not help the attacker.
While I’m not arguing for doing the crypto client side, the salt isn’t needed to be private - only unique.
It does. If you hash the user passwords, which you should, the hash is always the same length and it’s thus irrelevant how many characters the user’s password consists of.
Now, it’s not certain though, which wasn’t claimed either, because the front end developer might have other reasons for setting limits. The backend shouldn’t care though.
https://www.reddit.com/r/MapPorn/comments/951w28/world_map_of_tradition_of_removing_shoes_in_home/