salt

I need to hash some passwords with salt on postgresql, and I haven't been able to find any relevant documentation on how to get that done. So how can I hash passwords (with some salts) in postgresql? It's been a while since I asked this question, and I'm much more familiar with the cryptographic theory now, so here is the more modern approach: Reasoning Don't use md5. Don't use a single cycle of sha-family quick hashes. Quick hashes help attackers, so you don't want that. Use a resource-intensive hash, like bcrypt, instead. Bcrypt is time tested and scales up to be future-proof-able. Don't

Further to my previous question about salted passwords in PHP/MySQL , I have another question regarding salts. When someone says "use a random salt" to pre/append to a password, does this mean: Creating a static a 1 time randomly generated string of characters , or Creating a string of characters that changes at random every time a password is created ? If the salt is random for every user and stored along with the hashed password, how is the original salt ever retrieved back for verification? Rich Adams A new salt should be randomly generated for each user and each time they change their

I'm looking at some code that I have not written myself. The code tries to hash a password with SHA512 and uses just time() as the salt. Is time() too simple a salt for this or is this code safe? Thanks for the answers and comments. I will sum it up here for the new readers: salt should be different for each user, so if 2 users register at the same time, their salts won't be unique. This is a problem, but not a big one. but salt shouldn't be in any way related to the user, so time() is not a good salt. " Use a random, evenly distributed, high entropy salt. " -- That's a mouthful, so what code

I've been looking around and the closest answer is : How to generate a random alpha-numeric string? I want to follow this workflow according to this CrackStation tutorial : To Store a Password Generate a long random salt using a CSPRNG. Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256. Save both the salt and the hash in the user's database record. To Validate a Password Retrieve the user's salt and hash from the database. Prepend the salt to the given password and hash it using the same hash function. Compare the hash of the given password

Here is an algorithm in Java: public String getHash(String password, String salt) throws Exception { String input = password + salt; MessageDigest md = MessageDigest.getInstance(SHA-512); byte[] out = md.digest(input.getBytes()); return HexEncoder.toHex(out); } Assume the salt is known. I want to know the time to brute force for when the password is a dictionary word and also when it is not a dictionary word. emboss In your case, breaking the hash algorithm is equivalent to finding a collision in the hash algorithm. That means you don't need to find the password itself (which would be a