Stack Overflow
Stack Overflow

Questions tagged [salt]

Cryptography function that takes random bits and a string (typically a password) and uses a one-way hash to provide a new string that can be used for authentication without providing access to the original string. If a salt function uses enough random bits, the resulting string is generally considered cryptographically secure.

1027 questions
300
votes
7 answers

Where do you store your salt strings?

I've always used a proper per-entry salt string when hashing passwords for database storage. For my needs, storing the salt in the DB next to the hashed password has always worked fine. However, some people recommend that the salt be stored…
friedo
  • 65,762
  • 16
  • 114
  • 184
248
votes
10 answers

How does password salt help against a rainbow table attack?

I'm having some trouble understanding the purpose of a salt to a password. It's my understanding that the primary use is to hamper a rainbow table attack. However, the methods I've seen to implement this don't seem to really make the problem…
Rich
  • 12,068
  • 9
  • 62
  • 94
205
votes
1 answer

Do I need to store the salt with bcrypt?

bCrypt's javadoc has this code for how to encrypt a password: String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); To check whether a plaintext password matches one that has been hashed previously, use the checkpw method: if…
RodeoClown
  • 13,338
  • 13
  • 52
  • 56
205
votes
17 answers

Hash and salt passwords in C#

I was just going through one of DavidHayden's articles on Hashing User Passwords. Really I can't get what he is trying to achieve. Here is his code: private static string CreateSalt(int size) { //Generate a cryptographic random number. …
ACP
  • 34,682
  • 100
  • 231
  • 371
180
votes
5 answers

Best Practices: Salting & peppering passwords?

I came across a discussion in which I learned that what I'd been doing wasn't in fact salting passwords but peppering them, and I've since begun doing both with a function like: hash_function($salt.hash_function($pepper.$password)) [multiple…
Glitch Desire
  • 14,632
  • 7
  • 43
  • 55
175
votes
7 answers

How can I store my users' passwords safely?

How much more safe is this than plain MD5? I've just started looking into password security. I'm pretty new to PHP. $salt = 'csdnfgksdgojnmfnb'; $password = md5($salt.$_POST['password']); $result = mysql_query("SELECT id FROM users …
Rebar
  • 1,759
  • 3
  • 11
  • 3
166
votes
8 answers

Salting Your Password: Best Practices?

I've always been curious... Which is better when salting a password for hashing: prefix, or postfix? Why? Or does it matter, so long as you salt? To explain: We all (hopefully) know by now that we should salt a password before we hash it for storage…
Randolpho
  • 55,384
  • 17
  • 145
  • 179
142
votes
4 answers

How to use PHP's password_hash to hash and verify passwords

Recently I have been trying to implement my own security on a log in script I stumbled upon on the internet. After struggling of trying to learn how to make my own script to generate a salt for each user, I stumbled upon password_hash. From what I…
Josh Potter
  • 1,629
  • 2
  • 13
  • 11
141
votes
5 answers

What is the optimal length for user password salt?

Any salt at all will obviously help when salting and hashing a user's password. Are there any best practices for how long the salt should be? I'll be storing the salt in my user table, so I would like the best tradeoff between storage size and…
David
  • 7,487
  • 6
  • 32
  • 25
129
votes
9 answers

Salt and hash a password in Python

This code is supposed to hash a password with a salt. The salt and hashed password are being saved in the database. The password itself is not. Given the sensitive nature of the operation, I wanted to make sure everything was kosher. import…
Chris Dutrow
  • 48,402
  • 65
  • 188
  • 258
86
votes
11 answers

Why do salts make dictionary attacks 'impossible'?

Update: Please note I am not asking what a salt is, what a rainbow table is, what a dictionary attack is, or what the purpose of a salt is. I am querying: If you know the users salt and hash, isn't it quite easy to calculate their password? I…
Tom Gullen
  • 61,249
  • 84
  • 283
  • 456
78
votes
6 answers

Salt Generation and open source software

As I understand it, the best practice for generating salts is to use some cryptic formula (or even magic constant) stored in your source code. I'm working on a project that we plan on releasing as open source, but the problem is that with the source…
user199085
  • 917
  • 2
  • 8
  • 8
73
votes
2 answers

What are Salt Rounds and how are Salts stored in Bcrypt?

I'm trying to configure Bcrypt for a node app that I'm making and have several questions about salts that I hope someone here can help kindly answer. What is a salt 'round'? For example, in the github docs…
doctopus
  • 5,349
  • 8
  • 53
  • 105
70
votes
1 answer

Does has_secure_password use any form of salting?

I want to use has_secure_password to store encrypted passwords in the database. I can't find on the the internet if has_secure_password uses any form of salting. If it uses salting, how does it works? Can anyone clarify this for me? Thijs
Thijs
  • 3,015
  • 4
  • 29
  • 54
68
votes
8 answers

Why is a password salt called a "salt"?

Is there a significance to the word "salt" for a password salt?
Kyle Heironimus
  • 7,741
  • 7
  • 39
  • 51
1
2 3
68 69