Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are Salt Rounds and how are Salts stored in Bcrypt?

Tags:

passwords

password-protection

bcrypt

hash

salt

I'm trying to configure Bcrypt for a node app that I'm making and have several questions about salts that I hope someone here can help kindly answer.

  • What is a salt 'round'? For example, in the github docs (https://github.com/kelektiv/node.bcrypt.js/) it uses a salt round of 10. What does that mean exactly?

  • Is the salt generated by Bcrypt always the same? For example, if I am saving user's hashed passwords to a DB, is the salt that it used to hash the password the same for every password?

  • How is the salt stored? Is it secure from potential attacks?

like image 636
doctopus Avatar asked Oct 11 '17 16:10

doctopus

People also ask

What are salt rounds in bcrypt?

With "salt round" they actually mean the cost factor. The cost factor controls how much time is needed to calculate a single BCrypt hash. The higher the cost factor, the more hashing rounds are done. Increasing the cost factor by 1 doubles the necessary time.

How does bcrypt store salt?

The bcrypt utility itself does not appear to maintain a list of salts. Rather, salts are generated randomly and appended to the output of the function so that they are remembered later on (according to the Java implementation of bcrypt ). Put another way, the "hash" generated by bcrypt is not just the hash.

Where are salts stored?

The salt can and should be stored right next to the salted and hashed password. Additionally, the salt should be unique per password. Its purpose is to make it unfeasible to attack a leaked password database by using precomputed tables of password-hash-pairs.

What is salt in programming?

Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them. Salting prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them from the database.

1 Answers

  1. With "salt round" they actually mean the cost factor. The cost factor controls how much time is needed to calculate a single BCrypt hash. The higher the cost factor, the more hashing rounds are done. Increasing the cost factor by 1 doubles the necessary time. The more time is necessary, the more difficult is brute-forcing.
  2. The salt is a random value, and should differ for each calculation, so the result should hardly ever be the same, even for equal passwords.
  3. The salt is usually included in the resulting hash-string in readable form. So with storing the hash-string you also store the salt. Have a look at this answer for more details.
like image 133
martinstoeckli Avatar answered Sep 30 '22 22:09

martinstoeckli
Sign in to Comment

Related questions

How can I hash passwords in postgresql?
Ruby 1.9 hash with a dash in a key
How can I see if a Perl hash already has a certain key?
What is default hash algorithm that ASP.NET membership uses?
How long to brute force a salted SHA-512 hash? (salt provided)
How can I compute a SHA-2 (ideally SHA 256 or SHA 512) hash in iOS?
Reason for the number 5381 in the DJB hash function?
Ruby: merge nested hash
Sum the value of array in hash
HMAC-SHA1: How to do it properly in Java?
What hashing function does Java use to implement Hashtable class?
How do I convert a Ruby hash so that all of its keys are symbols?
Hash : How does it work internally?
Python dictionary : TypeError: unhashable type: 'list'
What is a good 64bit hash function in Java for textual strings?
Is time() a good salt?
Use Objects.hash() or own hashCode() implementation?
How to elegantly symbolize_keys for a 'nested' hash
Java calculate hex representation of a SHA-1 digest of a String
Pure-Ruby concurrent Hash

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!