0

Whilst I understand the theology behind the process of salting and hashing a password, I don't quite understand the methodology. As far as I can tell, the methods listed in this question and it's pertinent answers, as well as this MSDN article, all go through steps to create a salt of varying length to use in the process of hashing the password given.

However, what about checking the password at a later date? Creating the hash all over again will, as far as I can see, result in an entirely new salt being generated, ultimately causing validation to fail when an attempt is made to log in.

Am I missing where the salt or salt formula is saved? Or have I not quite understood the process?

Community
  • 1
  • 1
Wolfish
  • 960
  • 2
  • 8
  • 34
  • 1
    When you hash a password along with a generated salt, you store the salt in plaintext somewhere – 72DFBF5B A0DF5BE9 Oct 14 '15 at 13:58
  • @72DFBF5BA0DF5BE9 So would I be correct in thinking those examples *do not* demonstrate that? Additionally, would it be equally as effective to hardcode a salt in a method that runs at the server? – Wolfish Oct 14 '15 at 14:00
  • 1
    Static single salt is not good, still it would slow down cracking process a lot, but not as good as dynamic salt per password. I didn't check those examples, but I know for sure that you store the username, passwordhash and salt in DB. When user re-enters the password, you append salt, hash it and check it. – 72DFBF5B A0DF5BE9 Oct 14 '15 at 14:02
  • @72DFBF5BA0DF5BE9 I see, so a salt is definitely only ever generated once per password? – Wolfish Oct 14 '15 at 14:03
  • 1
    Yes, make sure it's random each time for each new password – 72DFBF5B A0DF5BE9 Oct 14 '15 at 14:04

1 Answers1

1

You should:

  1. create a new salt for each password you want to hash
  2. hash the password
  3. save as plain text both the hash and the salt.

When you want to authenticate your user, you just have to compute the hash again with the salt you previously saved in your DB, then compare your hashes.

Here's an excellent article that explains the process in details. It also provides a complete C# implementation.

ken2k
  • 48,145
  • 10
  • 116
  • 176