Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Salted Hashed Password with Python (Different salt for every new password)

Tags:

cryptography

hash

salt

As far as my understanding after reading and researching, the purpose of using salt is supposed to be a different salt for every single password to be stored.

If the same salt is used for storing all password, I can understand how to implement this, as I could just store the salt to a constant private variable and use it. But, that's not the case.

Though it makes perfect sense for storing every new password with new different salt, but how do I suppose to know which user's password associated to which salt ? The quick solution I thought of, was to store the salt along with the user's table property, maybe called as 'salt', but that will lose the purpose of having the salt from the first place too if it's too easy to find the salt from the database.

Can anyone advice on this ?

NOTE: I'm using either Python built in library (hashlib) or Bycrypt (Cryptacular or Passlib)

like image 556
MrCooL Avatar asked Jun 16 '12 16:06

MrCooL

People also ask

Should salt be different for each password?

As a result, completely different hashes are generated to prevent the passwords and accounts from being compromised. To prevent password attacks, salts must be unique and random for each login.

Does each password have its individual salt or do all passwords share the same salt?

Salting is simply the addition of a unique, random string of characters known only to the site to each password before it is hashed, typically this “salt” is placed in front of each password. The salt value needs to be stored by the site, which means sometimes sites use the same salt for every password.

Why is it important to hash passwords with a unique salt even if the salt can be publicly known?

Salts create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.

Can salted and hashed passwords be decrypted?

Assuming the salt is very long, not knowing the salt would make it nearly impossible to decrypt hash password with salt(due to the additional length that the salt adds to the password), but you still have to brute force even if you do know the salt.

2 Answers

The quick solution I thought of, was to store the salt along with the user's table property

That's exactly what you do. Knowing the salt doesn't really detract from their benefits:

  • Identical passwords in your database will have different hashes.
  • Rainbow tables won't work.
  • Brute-force attacks that attempt to match against any of your hashes will be slowed down.
like image 180
Oliver Charlesworth Avatar answered Sep 28 '22 06:09

Oliver Charlesworth

If you are using cryptacular.bcrypt.BCRYPTPasswordManager, then you don't need to worry about salts. It takes care of generating and storing the salt with the hash.

You can see below that the hash-string is different for the same password. It means a salt has been used.

For ex:

>>> import cryptacular.bcrypt
>>> crypt = cryptacular.bcrypt.BCRYPTPasswordManager()
>>> crypt.encode('aaa')
'$2a$10$B0czYdLVHJG4x0HnEuVX2eF7T9m1UZKynw.gRCrq8S98z84msdxdi'
>>> crypt.encode('aaa')
'$2a$10$Ni7K.pQoal3irbGmREYojOYoi0lye/W0Okz7jqoynRJhW5OCi8Upu'
like image 20
shastry Avatar answered Sep 28 '22 07:09

shastry
Sign in to Comment

Related questions

Consensus-based information disclosure
What encryption algorithm is used in DPAPI for WP7?
How to hash a single file multiple ways at same time?
What's means of Self-Signed Certificate in OpenSSL
Node.js verify function does not verify signature when openssl command line does
Asymmetric authenticated encryption
jsSHA, CryptoJS and OpenSSL libraries giving different results
Why am I getting a Bad Data exception only 5% of the time?
OpenPGP in Go Error: "crypto: requested hash function is unavailable"
Encryption function returns different output every time
Java: Patching client side security policy from applet for AES256
How do I use boost::random_device to generate a cryptographically secure 64 bit integer?
skip method in CipherInputStream
Advantages of SecByteBlock class from Crypto++
What is difference between crypto and bcrypt
Inter-convertability of asymmetric key containers (eg: X.509, PGP, OpenSSH)
Secure Remote Password Implementation for iPhone
Cryptographic hash (sha1 or md5) of data given as a string in Mathematica
Facing Memory Leaks in AES Encryption Method
Is there an implementation of ID-based encryption?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!