13

From what I understand from salting to make an encrypted password more secure, I would generate a random number (the salt) and store it along side the hashed password, in the user record (for example.) I would concatenate the salt with the plaintext password and then encrypt it (hash). The resulting hash would be much more difficult to crack. This process would be repeated to verify the password.

Looking at has_secure_password and bcrypt_ruby (disclosure: I am not a security expert) I don't see how that is done, as the only thing stored in the user record is the hashed password. Where's the salt?

sarnold
  • 102,305
  • 22
  • 181
  • 238
pitosalas
  • 10,286
  • 12
  • 72
  • 120
  • 1
    See [this question](http://stackoverflow.com/questions/6832445/how-can-bcrypt-have-built-in-salts) Basically, the salt is stored in the same string as the crypted password (that might be over-simplifying, and people with security chops are free to object, but point is that bcrypt is not inherently insecure) – Flambino Jun 13 '12 at 01:26
  • The link you provided is perfect, thanks! – pitosalas Jun 13 '12 at 17:51
  • 1
    possible duplicate of [Does has\_secure\_password use any form of salting?](http://stackoverflow.com/questions/10139954/does-has-secure-password-use-any-form-of-salting) – Ryenski Jul 08 '15 at 15:12

1 Answers1

8

The password hash and salt are saved in a string column called password_digest in the database. See this question.

Community
  • 1
  • 1
Eric Andres
  • 3,417
  • 2
  • 24
  • 40