0

I have created a login system, and have been told to hash and salt my passwords. Now, ive looked on google, msdn, SO, and found lots of stuff on hashing and salting, but dont seem to understand how to do it? I think I get the process:

You take the user created password and hash it This is written to the database, but at the same time You take the hash, and salt it with a RGN from security.cryptography, and add the salt to the database

Then to undo it, just repeat the process, right?

tony b
  • 1,341
  • 2
  • 10
  • 12

2 Answers2

3

It goes like this, when you first store the password:

  1. Generate salt.
  2. Concatenate it to the end of the password.
  3. Hash the password+salt.
  4. Store both the hashed string and the salt for the user.

Then when the user attempts to login:

  1. Get the user's salt.
  2. Concatenate salt to the end of the entered password.
  3. Hash the password+salt.
  4. If the hashed string matches the hashed string stored for the user then the password is correct.
System Down
  • 6,192
  • 1
  • 30
  • 34
  • wow, that seems like a lot. How do i get the users salt though? Isnt every users salt different? – tony b Oct 04 '13 at 04:13
  • @tonyb - When you first create a user you generate a salt (a string of random characters basically), and store it in the DB with the rest of the user's data as well as the hashed password+salt. – System Down Oct 04 '13 at 04:15
  • So in the database I would have the username, user type, salt and hashed password? And in the program, when a user registers, I would create a salt, add that to the database, then append it to the password, hash it and add that to the database? – tony b Oct 04 '13 at 04:19
  • @tonyb you should generate a new salt and store it along with the hash whenever a new password is set, not just at initial user registration – Preston Guillot Oct 04 '13 at 04:36
1

I explain the whole process with examples in my other post here:

Salting passwords 101

Community
  • 1
  • 1
Zippit
  • 1,673
  • 1
  • 11
  • 11