salt

I've decided to implement a user login using a per-user salt, stored in the database. The salt is prefixed to a password which is hashed with SHA and stored in the databse. In the past when I wasn't using a salt I would use the typical method of counting the number of rows returned by a query using the user inputted username and password. With a per user salt however, you need to get the salt before you can compare it with the stored password hash. So to avoid having two queries (1 to get the salt and another to validate the input credentials) I decided to get the salt AND the hashed password

Using bcrypt with Python 2.7, I can see that the example uses the bcrypt.hashpw to both hash a password for storage and verify that the given password matches a hashed one, like so: Hashing import bcrypt password = b"somepassword" hashed = bcrypt.hashpw(password, bcrypt.gensalt()) Ok, so far so good. The given password is now hashed using bcrypt, so it is a string of hashed bytes. Verifying Now, here's the part that confuses me: to check that a plaintext password matches a hashed password, the same function is used, using the hashed password as a salt: if bcrypt.hashpw(password, hashed) ==

I am developing a site in php 5.4 and i was wondering which is better to use to gen a random salt for password security? $salt = sha1(openssl_random_pseudo_bytes(23)); or $seed = ''; $a = @fopen('/dev/urandom','rb'); $seed .= @fread($a,23); $salt = sha1(seed); or should i just go with: $salt = openssl_random_pseudo_bytes(40); or $salt = ''; $a = @fopen('/dev/urandom','rb'); $salt .= @fread($a,23); For security purposes you are better off using openssl_random_pseudo_bytes . OpenSSL takes care of gathering enough entropy to serve you good randomness. /dev/urandom is devised to never block and

I am debating using user-names as a means to salt passwords, instead of storing a random string along with the names. My justification is that the purpose of the salt is to prevent rainbow tables, so what makes this realistically less secure than another set of data in there? For example, hash( md5(johnny_381@example.com), p4ss\/\/0rD) vs hash( md5(some_UUID_value), p4ss\/\/0rD) Is there a real reason I couldn't just stick with the user name and simplify things? The only thing my web searching resulted was debates as to how a salt should be like a password, but ended without any reasoning

Laravel uses bcrypt to hash passwords. According to this article, at some point in the process, the Hash::make function creates and uses a 22-length random string as a salt to generate the password. For a single distinct password, Hash::make does return unique hashes, hinting that it does use some kind of salting somewhere in the process. But these salts are not stored in the users table, where I would expect them. How does laravel know the appropriate hash to use to verify the password? Laravel Hash Explained The article that you linked seems to contain the answer. https://mnshankar.wordpress

I am learning Rails, at the moment, but the answer doesn't have to be Rails specific. So, as I understand it, a secure password system works like this: User creates password System encrypts password with an encryption algorithm (say SHA2). Store hash of encrypted password in database. Upon login attempt: User tries to login System creates hash of attempt with same encryption algorithm System compares hash of attempt with hash of password in the database. If match, they get let in. If not, they have to try again. As I understand it, this approach is subject to a rainbow attack — wherein the

I am trying to create a login and register page for my website. I am looking to use cookies in order to track a users session however I'm trying to implement it in the most proper and secure way. I've tried looking at tutorials and forums but most of them are outdated and use techniques that people comment are not secure. I understand tokens needs to be randomly generated and encrypted so I found one response that suggested to use a MessageDigest on UUID. But I found more articles suggesting that this may not be as secure as I think... Any suggestions on a secure way to generate cookie tokens

I can't see any way to salt a MD5.ComputeHash(Stream). Am I missing some way of injecting bytes into the HashAlgorithm? I tried performing a ComputeHash(byte[]) before performing the stream compute, but, unsurprisingly, it had no effect. Any ideas (apart from modifying the file)? Thanks for your time. addendum Just to be a little more specific, I want to use a stream to get a hash on a large file that I don't want to load into memory. FileInfo myFI= new FileInfo("bigfile.dat"); FileStream myIFS = piFile.OpenRead(); MD5 md5 = MD5.Create(); byte[] hash = md5.ComputeHash ( myIFS ); myIFS.Close ()