Stack Overflow
Stack Overflow

Questions tagged [salt]

Cryptography function that takes random bits and a string (typically a password) and uses a one-way hash to provide a new string that can be used for authentication without providing access to the original string. If a salt function uses enough random bits, the resulting string is generally considered cryptographically secure.

1163 questions
264
votes
7 answers

Where do you store your salt strings?

I've always used a proper per-entry salt string when hashing passwords for database storage. For my needs, storing the salt in the DB next to the hashed password has always worked fine. However, some people recommend that the salt be stored…
friedo
  • 62,644
  • 16
  • 111
  • 180
228
votes
10 answers

How does password salt help against a rainbow table attack?

I'm having some trouble understanding the purpose of a salt to a password. It's my understanding that the primary use is to hamper a rainbow table attack. However, the methods I've seen to implement this don't seem to really make the problem…
Rich
  • 10,547
  • 9
  • 55
  • 87
194
votes
1 answer

Do I need to store the salt with bcrypt?

bCrypt's javadoc has this code for how to encrypt a password: String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); To check whether a plaintext password matches one that has been hashed previously, use the checkpw method: if…
RodeoClown
  • 12,312
  • 12
  • 49
  • 56
187
votes
14 answers

Hash and salt passwords in C#

I was just going through one of DavidHayden's articles on Hashing User Passwords. Really I can't get what he is trying to achieve. Here is his code: private static string CreateSalt(int size) { //Generate a cryptographic random number. …
ACP
  • 32,884
  • 96
  • 217
  • 360
169
votes
6 answers

How can I store my users' passwords safely?

How much more safe is this than plain MD5? I've just started looking into password security. I'm pretty new to PHP. $salt = 'csdnfgksdgojnmfnb'; $password = md5($salt.$_POST['password']); $result = mysql_query("SELECT id FROM users …
Rebar
  • 1,699
  • 3
  • 11
  • 3
163
votes
5 answers

Best Practices: Salting & peppering passwords?

I came across a discussion in which I learned that what I'd been doing wasn't in fact salting passwords but peppering them, and I've since begun doing both with a function like: hash_function($salt.hash_function($pepper.$password)) [multiple…
Glitch Desire
  • 13,276
  • 6
  • 39
  • 54
161
votes
8 answers

Salting Your Password: Best Practices?

I've always been curious... Which is better when salting a password for hashing: prefix, or postfix? Why? Or does it matter, so long as you salt? To explain: We all (hopefully) know by now that we should salt a password before we hash it for storage…
Randolpho
  • 52,575
  • 15
  • 139
  • 173
133
votes
5 answers

What is the optimal length for user password salt?

Any salt at all will obviously help when salting and hashing a user's password. Are there any best practices for how long the salt should be? I'll be storing the salt in my user table, so I would like the best tradeoff between storage size and…
David
  • 6,877
  • 6
  • 29
  • 25
110
votes
7 answers

How to use PHP's password_hash to hash and verify passwords

Recently I have been trying to implement my own security on a log in script I stumbled upon on the internet. After struggling of trying to learn how to make my own script to generate a salt for each user, I stumbled upon password_hash. From what I…
Josh Potter
  • 1,299
  • 2
  • 10
  • 9
102
votes
9 answers

Salt and hash a password in Python

This code is supposed to hash a password with a salt. The salt and hashed password are being saved in the database. The password itself is not. Given the sensitive nature of the operation, I wanted to make sure everything was kosher. import…
Chris Dutrow
  • 42,732
  • 59
  • 174
  • 243
86
votes
11 answers

Why do salts make dictionary attacks 'impossible'?

Update: Please note I am not asking what a salt is, what a rainbow table is, what a dictionary attack is, or what the purpose of a salt is. I am querying: If you know the users salt and hash, isn't it quite easy to calculate their password? I…
Tom Gullen
  • 56,187
  • 79
  • 269
  • 433
75
votes
6 answers

Salt Generation and open source software

As I understand it, the best practice for generating salts is to use some cryptic formula (or even magic constant) stored in your source code. I'm working on a project that we plan on releasing as open source, but the problem is that with the source…
user199085
  • 897
  • 2
  • 8
  • 8
68
votes
1 answer

Does has_secure_password use any form of salting?

I want to use has_secure_password to store encrypted passwords in the database. I can't find on the the internet if has_secure_password uses any form of salting. If it uses salting, how does it works? Can anyone clarify this for me? Thijs
Thijs
  • 2,705
  • 4
  • 27
  • 50
62
votes
8 answers

Why is a password salt called a "salt"?

Is there a significance to the word "salt" for a password salt?
Kyle Heironimus
  • 6,973
  • 6
  • 33
  • 47
59
votes
9 answers

Is time() a good salt?

I'm looking at some code that I have not written myself. The code tries to hash a password with SHA512 and uses just time() as the salt. Is time() too simple a salt for this or is this code safe? Thanks for the answers and comments. I will sum it up…
zmol
  • 2,564
  • 4
  • 24
  • 29
1
2 3
77 78