Reputation: 2558
How to re-add "unique" salt when user logs in?
I am learning about hashing and encryption and can’t seem to understand this:
Client: New user logs in => Creates password => Sent to a server in plain text
Server: Server generates a random "salt" => plain text and salt are unified => Hash function (e.g. SHA-3) hashes the password+salt into a hash => Hash is stored in DB.
Client: Same user logs out and logs in => Password sent to a server in plain text.
Server: Password needs to re-add the same salt it generated when creating the account to get the same hash.
How does the server generate that same random and unique salt? Is the salt stored on a different DB altogether? If a DB is compromised the hackers would also gain access to the salt and just brute force rainbow tables with the salt and unhash them.
Upvotes: 0
Views: 96
Answers (2)
Reputation: 1424
The salt that was randomly generated must be stored in the database and linked to the user that logged in. It could be simply added as another column in the user table.
In a typical setting, the salt and the password (or its version after key stretching) are concatenated and processed with a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database
Source: https://en.wikipedia.org/wiki/Salt_(cryptography) retrieved 19/02/21
The generation of the salt depends on which technology you are using. The following stack overflow answer has an example for PHP:
Can we use uniqid() to generate a unique Salt in PHP
The password should also never be sent in plain text to the server. This can be done via HTTPS for example
Upvotes: 1
Reputation: 12391
When the user logs in again. The password is sent to server side along with email.
The email is used to fetch the user record and then the Hash value saved against that email is compared with the new hash (salt + password entered).
The validate function method matches the 2 different hash values and checks if password entered was same or not.
For example, I am using bcrypt in Node JS and it has a method compareSync which matches the entered password with the saved hash
bcrypt.compareSync(password, databaseHash);
Upvotes: 0
Related Questions
- adding salt into password before storing it into database
- PHP Login with salt+encryption
- How do I implement salt into my login for passwords?
- Hashing password at user signup on client side and database stores hash only. How to use the same salt again when logging in?
- Generate Same Salt everytime for Same String value
- Unique generated SALT for each user?
- Salted Hashed Password with Python (Different salt for every new password)
- Adding user specific salt to user passwords in drupal
- How to add salt in user password?
- How to implement customized SHA-256 salt per user login/out with db spring 3.1 security?