salt

What is the salt in Enterprise Library HashProvider ? (SaltEnabled key)

How is the salt generated in HashProvider in Microsoft Enterprise Library when we set SaltEnabled? Is it random to new machines? Is it some magic number? (I know what is a salt, the question is what's the actual value of a/the salt in Enterprise Library HashProvider) ...

What is the optimal length for user password salt?

Any salt at all will obviously help when salting and hashing a user's password. Are there any best practices for how long the salt should be? I'll be storing the salt in my user table, so I would like the best tradeoff between storage size and security. Is a random 10 character salt enough? Or do I need something longer? ...

How would you implement salted passwords in Tomcat 5.5

My web application is relying on container-managed security and I'm wondering if it's possible to use salted passwords at all. As far as I can tell it's easy enough to store digested passwords in a database by just configuring a JDBC or DataSource Realm, but there's no way to add a salt to those digest. Any suggestions? Edit: it seems...

Why is a password salt called a "salt"?

Is there a significance to the word "salt" for a password salt? ...

Do I need to store the salt with bcrypt?

bCrypt's javadoc has this code for how to encrypt a password: String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); To check whether a plaintext password matches one that has been hashed previously, use the checkpw method: if (BCrypt.checkpw(candidate_password, stored_hash)) System.out.println("It matches"); else ...

What is the easiest way to create and compare a salted password in .NET?

In an ongoing effort to improve my code I am looking for the best way to create and compare a salted password in .NET. Is there a better, or more secure, way of doing this? My current code is as follows: public static string CreateSaltedPassword(string salt, string password) { SHA1CryptoServiceProvider SHA1 = null; ...

How best to generate a random salt for a Web Site?

Hi folks, i'm wanting to generate a random salt value and put it into the Application state. Now, i'm using a web farm, so the Application state will be different per machine. I don't want to purchase distributed state farm apps, either. So .. what are some solutions for this? I thought i could hard-code it in the code OR the web.conf...

Client Side MD5 Hash with Time Salt

I want to salt a hashed username and password (submitted via http POST) in JS on the client-side with a higher-order time value (< 1 minute resolution) to avoid sending the username and password hash as a constant value that could be used for a log-in attempt via POST fabrication by an unauthorized user (i.e. a sniffer). This will impos...

Need some help understanding password salt

I'm having some trouble understanding the purpose of a salt to a password. It's my understanding that the primary use is to hamper a rainbow table attack. However, the methods I've seen to implement this don't seem to really make the problem harder. I've seen many tutorials suggesting that the salt be used as the following: $hash = ...

Why do web applications insist on defining strict password rules?

You've all encountered the various websites that force you to have a password that is 6 characters long, must have 1 number, and must rhyme with 'annoying.' Obviously there are legacy reasons why sometimes this is necessary but other times it's all for security. I find that it's rather annoying because I have a standard set of passwords...

What is the difference between a 'character' and an 'octet'?

I see the term 'octet' popping up in literature about nonces for hashing, and it seems to be synonymous with 'character', although there is a kind of pattern to how the words are used. This leads me to believe that there is a formal distinction between the two. If anyone could enlighten me to what it is, I'd appreciate it. (and please,...

PHP Sessions + Useragent with salt

Hi, It keeps running in my mind the last couple of days, but I read some articles about how to make your PHP sessions more secure. Almost all of these articles say that you need to save the useragent in the session WITH an additional salt. Something like this: $fingerprint = md5('SECRET-SALT'.$_SERVER['HTTP_USER_AGENT']); The salt wo...

Salting Your Password: Best Practices?

I've always been curious... Which is better when salting a password for hashing: prefix, or postfix? Why? Or does it matter, so long as you salt? To explain: We all (hopefully) know by now that we should salt a password before we hash it for storage in the database [Edit: So you can avoid things like what happened to Jeff Atwood recentl...

how do I create a mySQL user with hash('sha256', $salt . $password)?

I must be missing something. I want to set up a database user account for select-only transactions but mysql is not letting me choose the hash method for a password on creating a user account. this fails: GRANT SELECT ON myDB.* TO 'selectuser'@'localhost' IDENTIFIED BY hash('sha256', 'salted-myfakelongrandompasswordstring'); ERROR ...

Encrypted passwords of not-encrypted passwords user base

Some time ago I joined new project. It was under development for quite a long time. The thing that surprised me was that all users' passwords are stored in non-encrypted form. I explained huge security vulnerabilities of this to our management - it looks like they agree with that and want to make project more secure. Team members agree ...

Password hash and salting - is this a good method?

I was doing a little research or googling for different methods of handling password hashing and salting and came across this interesting link: http://phix.me/salt/ Now, essentially what this proposes is the creation of two user functions, one for hashing and one for checking the hash. The salt is pseudo random but is in actual fact ...

Salts and Passwords - prefix or postfix

This is a question about salting phrases that need to be hashed. I was wondering if it more secure to prefix the salt to a phrase or postfix it? salt + phrase or phrase + salt My question comes from this comment on this post on MD5s. I am not sure I understand the reasoning behind the author's comment. ...

Storing salt in code instead of database

There have been a couple of great discussions regarding salt best practices, and it seems the overwhelming recommendation is to generate a different salt for each password and store it alongside the password in the database. However, if I understand the purpose of salt correctly, it is to reduce the chance that you will be compromised b...

Salting a C# MD5 ComputeHash on a stream

I can't see any way to salt a MD5.ComputeHash(Stream). Am I missing some way of injecting bytes into the HashAlgorithm? I tried performing a ComputeHash(byte[]) before performing the stream compute, but, unsurprisingly, it had no effect. Any ideas (apart from modifying the file)? Thanks for your time. addendum Just to be a little mor...

Is my authentication encryption any good?

So I've been reading a lot about encryption in PHP. So much that I am not sure exactly what's a really good method to securely store login information. However, the following function is what I came up with: function loginHash($username, $password){ $salt = str_split($password,(strlen($password)/2)+1); $hash = hash('whirlpool',...