Menu
As far as my understanding after reading and researching, the purpose of using salt is supposed to be a different salt for every single password to be stored.
If the same salt is used for storing all password, I can understand how to implement this, as I could just store the salt to a constant private variable and use it. But, that's not the case.
Though it makes perfect sense for storing every new password with new different salt, but how do I suppose to know which user's password associated to which salt ? The quick solution I thought of, was to store the salt along with the user's table property, maybe called as 'salt', but that will lose the purpose of having the salt from the first place too if it's too easy to find the salt from the database.
Can anyone advice on this ?
NOTE: I'm using either Python built in library (hashlib) or Bycrypt (Cryptacular or Passlib)
556
As a result, completely different hashes are generated to prevent the passwords and accounts from being compromised. To prevent password attacks, salts must be unique and random for each login.
Salting is simply the addition of a unique, random string of characters known only to the site to each password before it is hashed, typically this “salt” is placed in front of each password. The salt value needs to be stored by the site, which means sometimes sites use the same salt for every password.
Salts create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.
Assuming the salt is very long, not knowing the salt would make it nearly impossible to decrypt hash password with salt(due to the additional length that the salt adds to the password), but you still have to brute force even if you do know the salt.
The quick solution I thought of, was to store the salt along with the user's table property
That's exactly what you do. Knowing the salt doesn't really detract from their benefits:
180
If you are using cryptacular.bcrypt.BCRYPTPasswordManager, then you don't need to worry about salts. It takes care of generating and storing the salt with the hash.
You can see below that the hash-string is different for the same password. It means a salt has been used.
For ex:
>>> import cryptacular.bcrypt
>>> crypt = cryptacular.bcrypt.BCRYPTPasswordManager()
>>> crypt.encode('aaa')
'$2a$10$B0czYdLVHJG4x0HnEuVX2eF7T9m1UZKynw.gRCrq8S98z84msdxdi'
>>> crypt.encode('aaa')
'$2a$10$Ni7K.pQoal3irbGmREYojOYoi0lye/W0Okz7jqoynRJhW5OCi8Upu'
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
