Cryptography function that takes random bits and a string (typically a password) and uses a one-way hash to provide a new string that can be used for authentication without providing access to the original string. If a salt function uses enough random bits, the resulting string is generally considered cryptographically secure.
Questions tagged [salt]
1163 questions
264
votes
7 answers
Where do you store your salt strings?
I've always used a proper per-entry salt string when hashing passwords for database storage. For my needs, storing the salt in the DB next to the hashed password has always worked fine.
However, some people recommend that the salt be stored…
friedo
- 62,644
- 16
- 111
- 180
228
votes
10 answers
How does password salt help against a rainbow table attack?
I'm having some trouble understanding the purpose of a salt to a password. It's my understanding that the primary use is to hamper a rainbow table attack. However, the methods I've seen to implement this don't seem to really make the problem…
Rich
- 10,547
- 9
- 55
- 87
194
votes
1 answer
Do I need to store the salt with bcrypt?
bCrypt's javadoc has this code for how to encrypt a password:
String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt());
To check whether a plaintext password matches one that has been hashed previously, use the checkpw method:
if…
RodeoClown
- 12,312
- 12
- 49
- 56
187
votes
14 answers
Hash and salt passwords in C#
I was just going through one of DavidHayden's articles on Hashing User Passwords.
Really I can't get what he is trying to achieve.
Here is his code:
private static string CreateSalt(int size)
{
//Generate a cryptographic random number.
…
ACP
- 32,884
- 96
- 217
- 360
169
votes
6 answers
How can I store my users' passwords safely?
How much more safe is this than plain MD5? I've just started looking into password security. I'm pretty new to PHP.
$salt = 'csdnfgksdgojnmfnb';
$password = md5($salt.$_POST['password']);
$result = mysql_query("SELECT id FROM users
…
Rebar
- 1,699
- 3
- 11
- 3
163
votes
5 answers
Best Practices: Salting & peppering passwords?
I came across a discussion in which I learned that what I'd been doing wasn't in fact salting passwords but peppering them, and I've since begun doing both with a function like:
hash_function($salt.hash_function($pepper.$password)) [multiple…
Glitch Desire
- 13,276
- 6
- 39
- 54
161
votes
8 answers
Salting Your Password: Best Practices?
I've always been curious... Which is better when salting a password for hashing: prefix, or postfix? Why? Or does it matter, so long as you salt?
To explain: We all (hopefully) know by now that we should salt a password before we hash it for storage…
Randolpho
- 52,575
- 15
- 139
- 173
133
votes
5 answers
What is the optimal length for user password salt?
Any salt at all will obviously help when salting and hashing a user's password. Are there any best practices for how long the salt should be? I'll be storing the salt in my user table, so I would like the best tradeoff between storage size and…
David
- 6,877
- 6
- 29
- 25
110
votes
7 answers
How to use PHP's password_hash to hash and verify passwords
Recently I have been trying to implement my own security on a log in script I stumbled upon on the internet. After struggling of trying to learn how to make my own script to generate a salt for each user, I stumbled upon password_hash.
From what I…
Josh Potter
- 1,299
- 2
- 10
- 9
102
votes
9 answers
Salt and hash a password in Python
This code is supposed to hash a password with a salt. The salt and hashed password are being saved in the database. The password itself is not.
Given the sensitive nature of the operation, I wanted to make sure everything was kosher.
import…
Chris Dutrow
- 42,732
- 59
- 174
- 243
86
votes
11 answers
Why do salts make dictionary attacks 'impossible'?
Update: Please note I am not asking what a salt is, what a rainbow table is, what a dictionary attack is, or what the purpose of a salt is. I am querying: If you know the users salt and hash, isn't it quite easy to calculate their password?
I…
Tom Gullen
- 56,187
- 79
- 269
- 433
75
votes
6 answers
Salt Generation and open source software
As I understand it, the best practice for generating salts is to use some cryptic formula (or even magic constant) stored in your source code.
I'm working on a project that we plan on releasing as open source, but the problem is that with the source…
user199085
- 897
- 2
- 8
- 8
68
votes
1 answer
Does has_secure_password use any form of salting?
I want to use has_secure_password to store encrypted passwords in the database. I can't find on the the internet if has_secure_password uses any form of salting. If it uses salting, how does it works? Can anyone clarify this for me?
Thijs
Thijs
- 2,705
- 4
- 27
- 50
62
votes
8 answers
Why is a password salt called a "salt"?
Is there a significance to the word "salt" for a password salt?
Kyle Heironimus
- 6,973
- 6
- 33
- 47
59
votes
9 answers
Is time() a good salt?
I'm looking at some code that I have not written myself. The code tries to hash a password with SHA512 and uses just time() as the salt. Is time() too simple a salt for this or is this code safe?
Thanks for the answers and comments. I will sum it up…
zmol
- 2,564
- 4
- 24
- 29