Reputation: 3878
how to safely store the password salt
I use pbkdf2 to salt and hash passwords. I get that the salt must be unencrypted and accessible so I can use it again in validation. Each password's salt must be accessible so I can salt and hash the to-be-validated password and compare it with the stored one.
I was thinking to store the salt like so
Assuming salt is always a string with a fixed lenght, eg, 10 characters
finalPassword = salt + password;
//save finalPassword in the db
and then to validate
salt = getFirst10CharsOf (finalPassword);
hash to-be-validated password with that salt
compare hashed password with the saved one
My question is, if a hacker is smart enough to get my hashed passwords, what stops her to see the getFirst10CharsOf part in my code and get a couple of salts, so she can easily decrypt a couple of hashes?
I found a lot a theory, but I dont have a clue how to safely store salts in practice. So they can always be accesible just to the validation code, but not to everyone.
Thanks
Upvotes: 1
Views: 109
Answers (2)
Reputation: 943090
what stops her to see the getFirst10CharsOf part in my code and get a couple of salts,
Nothing
so she can easily decrypt a couple of hashes?
The point of using a one-way hash is that you can't decrypt them (not even with the salt).
The point of using a salt (and a different one each time) is that you can't brute force them with a rainbow table.
I dont have a clue how to safely store salts in practice.
Just store them with the hashed password. There's no need to keep them inaccessible.
So they can always be accesible just to the validation code, but not to everyone.
If it was possible to store data somewhere that your code could access but someone will illicit access to the system the code runs on could no, then there would be no need to hash passwords in the first place.
Upvotes: 2
Reputation: 112857
The salt does not need to be secret, it is used for several things: 1. make using rainbow tables more difficult and 2. insuring that two passwords do not hash to the same value so that if one is compromised other same passwords are not (different hashes).
Upvotes: 2
Related Questions
- Where do you store your salt strings?
- Password hashing, salt and storage of hashed values
- How can I store my users' passwords safely?
- What is best possible way of salting and storing salt?
- Storing Salts for Passwords
- What is the best way to securely store password (hashes)
- Where to store password salt and how to get it
- How should I store a password salt?
- Multiple Salts to protect passwords
- Web Application - Storing a Password