3

I am storing passwords in a database at the minute, by using an scrypt algorithm and then storing that string.

I am then doing the password check, by then hashing the password provided, and checking it against that.

My question is, do I want to be adding more security than that? Should I be salting the encrypted string, too?

MickeyThreeSheds
  • 986
  • 4
  • 23
  • 42
  • 1
    I think you need to provide more details. What do you mean by *salting the encrypted string*? - scrypt does not encrypt it hashes and its implementation should require you to provide a salt whenever its used .. – Alex K. Feb 10 '17 at 15:43
  • What language and implementation are you using? – zaph Feb 10 '17 at 15:49
  • Hey! The language is java, and I am using this implementation : https://github.com/wg/scrypt – MickeyThreeSheds Feb 10 '17 at 19:52
  • If you hashed it with `scrypt` as the algorithm is specified, then you used a salt. If you did not salt it, then you did not hash it with `scrypt`. There are some corner cases, like using the same salt for all users, but I don't think you are in one of them. – jww Feb 11 '17 at 03:00

1 Answers1

7

No, scrypt by definition includes a salt in its hashing procedure to prevent rainbow attacks already. Meaning an additional salt would not give you any security benefits. Additional tinkering will only complicate your code and make your system more brittle.

fzgregor
  • 1,807
  • 14
  • 20