Stack Overflow
Stack Overflow

Questions tagged [salt]

Cryptography function that takes random bits and a string (typically a password) and uses a one-way hash to provide a new string that can be used for authentication without providing access to the original string. If a salt function uses enough random bits, the resulting string is generally considered cryptographically secure.

1027 questions
12
votes
3 answers

How should I store a password salt?

Using PHP, I am encoding passwords using the hmac function with the sha256 algorithm. What I'm not sure about is how to properly store the salt. The whole point of hashing a password is in case a hacker gets access to the database. If I store the…
steeped
  • 2,613
  • 5
  • 27
  • 43
12
votes
3 answers

What is the safest way to store a password using Code Igniter?

I am using Code Igniter for my current project. As of now, I am using MD5 for password hashing, but I have read at a lot of places, that it is not a good practice to do so. What should I go with? Using a salt Or should I use bcrypt Also, if bcrypt…
Aniket
  • 9,622
  • 5
  • 40
  • 62
12
votes
2 answers

Why can bcrypt.hashpw be used both for hashing and verifying passwords?

Using bcrypt with Python 2.7, I can see that the example uses the bcrypt.hashpw to both hash a password for storage and verify that the given password matches a hashed one, like so: Hashing import bcrypt password = b"somepassword" hashed =…
Juan Carlos Coto
  • 11,900
  • 22
  • 62
  • 102
12
votes
6 answers

Salt, passwords and security

I've read through many of the questions on SO about this, but many answers contradict each other or I don't understand. You should always store a password as a hash, never as plain text. But should you store the salt (unique for each user) next to…
Jonathan.
  • 53,997
  • 54
  • 186
  • 290
12
votes
5 answers

Am I misunderstanding what a hash salt is?

I am working on adding hash digest generating functionality to our code base. I wanted to use a String as a hash salt so that a pre-known key/passphrase could be prepended to whatever it was that needed to be hashed. Am I misunderstanding this…
Lee Warner
  • 2,543
  • 4
  • 30
  • 45
12
votes
3 answers

How can I retrieve a salt from LDAP?

The organization that I work for uses PPolicy (an OpenLDAP module) to automatically salt and hash passwords. Unfortunately, I don't have access to the machine running the OpenLDAP server, so i can't look at the config file. From what I've seen…
blkhp19
  • 482
  • 1
  • 5
  • 13
12
votes
8 answers

How would you add salt to your existing password hashes?

I have a database of hashed passwords that had no salt added before they were hashed. I want to add salt to new passwords. Obviously I can't re-hash the existing ones. How would you migrate to a new hashing system?
Brandon O'Rourke
  • 24,165
  • 16
  • 57
  • 58
11
votes
1 answer

Is using a CreateUUID() function as salt a good idea?

I'm using coldfusion and I would like to generate a random salt field for my passwords. I was wondering if a CreateUUID() function is useful here. I found many examples which use a seperate function to create the salt string; but why do this when…
Mohamad
  • 34,731
  • 32
  • 140
  • 219
11
votes
1 answer

why does compareSync not need salt string?

I am trying to use bcryptjs to generate hash of user passwords. However I am a bit confused in one matter. Conventionally, according to this article, we need to: keep the salt of our password hash relatively long and unique, hash the user password…
Pravin
  • 1,671
  • 5
  • 23
  • 36
11
votes
4 answers

How do I use SHA-512 with Rfc2898DeriveBytes in my salt & hash code?

I'm completely new to cryptography, but learning. I've pieced together many different suggestions from my research online, and have made my own class for handling the hash, salt, key stretching, and comparison/conversion of associated data. After…
John Suit
  • 1,254
  • 12
  • 17
11
votes
2 answers

password_hash equivalent for php 5.4?

I developed my site using XAMPP with php 5.5 installed. I just realize that my host only has php 5.4 (cannot update to 5.5 yet). My problem is that I cannot use the new php 5.5 password_hash() feature. Is there an equivalent method for hashing with…
bagofmilk
  • 1,492
  • 8
  • 34
  • 69
11
votes
1 answer

What does MessageDigest.update(byte[]) do?

What exactly does this do? I tried to look it up but didn't find anything. Reason for asking is I want to incorporate a SALT byte[] into a value which is then hashed. So should it be done like this (Pseudo…
LuckyMe
  • 3,820
  • 2
  • 27
  • 35
11
votes
7 answers

Is forcing complex passwords "more important" than salting?

I've spent the past 2 hours reading up on salting passwords, making sure that I understood the idea. I was hoping some of you could share your knowledge on my conclusions. If I'm an attacker, and I gain access to a user database, I could just take…
Galen
  • 29,976
  • 9
  • 71
  • 89
11
votes
5 answers

How do you turn on password hashing (SSHA) in openLDAP

For the life of me, I cannot seem to find this anywhere and if anyone can even just give me a link I would be very appreciative. We are trying to turn on SSHA hashing in openLDAP. By default it stores passwords in plaintext, which I think is…
Sevil Natas
  • 115
  • 1
  • 1
  • 5
10
votes
5 answers

What is the point of salt and hashing if database is accessible?

I just learned the concept of hashing ("Hey! don't forget the salt!") and using salt to make the password secured. Hashing it is a one way encryption (actually not encryption but hashing) so it cannot be reversed engineered. Salting is prefixing or…
kazinix
  • 28,987
  • 33
  • 107
  • 157
1 2 3
68 69