Logo Questions Linux Laravel Mysql Ubuntu Git Menu

Salt/Hash for Firebase Simple Login?

Firebase offers 'Simple Login' in which email/password is used for authentication. Does anyone know if firebase salts and hashes the password before storing it? I imagine that firebase would know enough to do so, but I just wanted to make sure, because I could not find anything on this after an hour of searching.

Anticipated follow up: If firebase in fact does not salt+hash the passwords, would the Simple Login work if I took the user's password, salted+hashed, and passed it onto firebase to store/check?

Thanks in advance!

like image 829
user3916009 Avatar asked Mar 19 '23 19:03


1 Answers

As of 2016

As of 2016, Firebase uses a modified version of scrypt to encrypt passwords. A library to perform the encryption was released on GitHub here.

It uses both salt and hashes as shown in the sample:

# Params from the project's password hash parameters

# Params from the exported account

# The users raw text password

# Generate the hash
# Expected output:
# lSrfV15cpx95/sZS2W9c9Kp6i/LVgQNDNC/qzrCnh1SAyZvqmZqAjTdn3aoItz+VHjoZilo78198JAdRuid5lQ==
echo `./scrypt "$base64_signer_key" "$base64_salt" "$base64_salt_separator" "$rounds" "$memcost" -P <<< "$password"`


According to this page (http://firebase.com/docs/web/guide/simple-login/password.html) Firebase uses bcrypt.

According to the wiki page on bcrypt (http://en.wikipedia.org/wiki/Bcrypt), it both hashes and uses salt with that.

like image 153
Frank van Puffelen Avatar answered Mar 31 '23 19:03

Frank van Puffelen