3

If a user creates a new password and this goes through a hash algorithm and is stored in the database, it can then be matched up with the user's entered password when they log in. The password entered into the login screen is hashed and then checked to see if it matches the stored hash. If it does, it allows the user access.

However, nowadays, passwords are hashed and salted. So when the user first registers their password, it goes through a hash, and then it gets salted over 10,000 times. Is this salt with the same keyword generated by the backend code, or is it randomly generated for each time it gets salted?

When the user enters the password to log in, how does it match up to the hash and salted password, if the salt is random each time, surely it will end up with a different hash? That's why even if two users entered the same password, they end up with a different hashes.

GolfBravo
  • 837
  • 2
  • 12
  • 23
  • 2
    The salt is usually stored with the hashed/salted password. Also, why are you salting 10,000 times? – DavidG May 23 '22 at 17:05
  • It's .net core framework I am using. It iterates it 10,000 times – GolfBravo May 23 '22 at 17:10
  • If you're using ASP.NET Identity, then the salt is stored in the database, but you shouldn't really need to worry about that since Identity gives you the tools to match passwords. – DavidG May 23 '22 at 17:14
  • It's more out of curiosity. If the salt is stored in the database, couldn't the hacker just get it from there if they compromise the database and go through a brute force attack and then match up the hashes as if the salt didn't exist? – GolfBravo May 23 '22 at 17:20
  • It's about making life hard for an attacker. Without a salt, two people with the same password would have the same hash. An attacker can generate a single hash table for your entire database. With a salt, every record has to use its own hash table. They might be able to crack a single users password, but not all of them. – DavidG May 23 '22 at 17:27

1 Answers1

3

Great questions!

So when the user first registers their password, it goes through a hash, and then it gets salted over 10,000 times. Is this salt with the same keyword generated by the backend code, or is it randomly generated for each time it gets salted?

The actual mechanics of how salting and hashing words vary from implementation to implementation. However, the general idea behind a salt is to generate, for each stored password, a random piece of information called the salt. The stored value is then derived from a hash of the password itself mixed with the salt in some way. It could be that you hash the password and then run lots of rounds of combining the hash with the salt, or perhaps you just concatenate the password and salt together and hash it lots of times.

It's essential, for this process to work, that you have a different salt for each password. If you use the same salt each time, then every copy of the same password will look the same after you're done hashing it and combining it with the salt. This leaks information, which is not a good thing.

When the user enters the password to log in, how does it match up to the hash and salted password, if the salt is random each time, surely it will end up with a different hash?

When the server checks the password, it needs to have access to the salt that it used when storing the password. Otherwise, it has no way of recalculating the stored value from the password. The salts are usually stored right next to the final hash. The idea is that the salt isn't the secret - the password is - and so it's fine to just store it alongside.

That's why even if two users entered the same password, they end up with a different hashes.

Yep, each password is stored with a different salt. Each salt is randomly generated, but then stored alongside the final password hash.

templatetypedef
  • 362,284
  • 104
  • 897
  • 1,065
  • Great answer, althogugh I've been reading this article and I couldnt find an example of them storing the salt in database. https://www.makeuseof.com/nodejs-bcrypt-hash-verify-salt-password/ – Hairi Apr 08 '23 at 13:19