Menu
I though I understood hashing and salting passwords but it seems I have some misconceptions. I am creating a user account system for my website in nodejs.
The way I understood it was that when a user creates a password we generate a random salt, append it to the password and then hash that string. We can also add a work factor to make the hash work slowly and defend against brute force attacks. We store the salt along with the hash in our database and to validate a login attempt we repeat the above process (on the server) with the stored salt and the attempted password and check to see if the hashes match.
It seems that the bcrypt module in nodejs is not consistent with my interpretation of hashing. This is from an example at http://codetheory.in/using-the-node-js-bcrypt-module-to-hash-and-safely-store-passwords/
var salt = bcrypt.genSaltSync(10);
var hash = bcrypt.hashSync("my password", salt);
First off why is the work factor applied to the salt rather than the hash? If someone is attacking by brute force they would run the hash function correct? Isn't the hash the function we need to be slow?
I'm also confused by validation with bcrypt:
bcrypt.compareSync("my password", hash);
We need the hashes to be unique even if two users select the same password, this is the point of salt right? So why don't we do this?
bcrypt.compareSync("my password"+salt, hash);
587
To salt a password hash, a new salt is randomly generated for each password. The salt and the password are concatenated and then processed with a cryptographic hash function. The resulting output (but not the original password) is stored with the salt in a database.
Hashing turns your password (or any other piece of data) into a short string of letters and/or numbers using an encryption algorithm. If a website is hacked, cyber criminals don't get access to your password. Instead, they just get access to the encrypted “hash” created by your password.
Using ten different salts increases the security of hashed passwords by increasing the computational power required to generate lookup tables by a factor of ten. If the salt is stored separately from a password, it also makes it challenging for an attacker to reverse engineer a password.
As you can see from the above example it is possible to crack passwords that use salts. It just takes much longer and requires more processing time. Hashed passwords that use salts are what most modern authentication systems use.
salt contains number of rounds so bcrypt.hash(Sync) function knows how many rounds it has to do.
So does hash is not a simple hash, but a container with embedded salt.
78
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
