I have been developing a login library for a website using CodeIgniter. The authentication code is as follows: function signin($username, $password) { $CI =& get_instance(); $query_auth=$this->db->query('SELECT user_id, banned FROM user WHERE username=? AND password=SHA1(CONCAT(?,salt)) LIMIT 1', array($username, $password)); ...
I am debating using user-names as a means to salt passwords, instead of storing a random string along with the names. My justification is that the purpose of the salt is to prevent rainbow tables, so what makes this realistically less secure than another set of data in there? For example, hash( md5([email protected]), p4ss\/\/0rD...
I tried to research this, but there were still some questions left unanswered. I was looking into figuring out how an 8 character password gets turned into a high-bit encryption key. During my research I found articles that would talk about the salt value. Assume you could get all 256 characters to play with, then an 8-character passwor...
I had an idea about hashed passwords and salt values. Since I'm rather new to hashing and encryption, I thought I'd post this to you. Would it be more secure to generate a unique salt for each user account, then store the salt and hashed values in the database? Or, keep a single salt value securely stored and re-use that each time I h...
Hello, can you please tell me what is best way to salt password. Which method best? Thank you. ...
Once I've generated a salt and hashed the password (using bcrypt, etc) would it be best to store the results as a string or as a byte array in the database? Are there any benefits either way? Or is it a more subjective decision? ...
Hi, I've read somewhere that adding a salt at the beginning of the password before hashing it is a bad idea. Instead, it is much more secure to insert it somewhere in the middle if the password. I don't remember where I've found this, and cannot neither find any other articles saying the same thing, nor understand why this may increase...
I'm currently building a couple of ASP.NET MVC 2 sites, and am wondering what my options are for salting a password. With my PHP work, I usually just obtained the timestamp of when a user registered, then appended it to the end of their password string before using SHA1 to hash the entire thing. My instinct is that this approach may no...
I'm having difficulty figuring out why user password hashing is not working. The way I do this is the normal method, where upon registration I create a randam salt and combine with password and store, but when I try to match the passwords for the login, they're failing :( <?php class Model_users extends ModelType_DatabasePDO { //... ...
Could someone please help me understand how salting works? So far I understand the following: Validate password Generate a random string Hash the password and the random string and concat them, then store them in the password field... How do we store the salt, or know what it is when a user logs in? Do we store it in its own field? ...
Possible Duplicate: Need some help understanding password salt Update: Please note I am not asking what a salt is, what a rainbow table is, what a dictionary attack is, or what the purpose of a salt is. I am querying: If you know the users salt and hash, isn't it quite easy to calculate their password? I understand the proces...
I'm using coldfusion and I would like to generate a random salt field for my passwords. I was wondering if a CreateUUID() function is useful here. I found many examples which use a seperate function to create the salt string; but why do this when you could use rand() or CreateUUID() functions instead? I'm not sure. Is it an overkill or ...
I am having difficulty understanding how a salt which is appended to a hash helps improve the security when a database of passwords or other important information is compromised. If the salt is, for example, "hello", and is appended to the password "password" then the salt and password are stored together, "hellopassword" and hashed to ...
Dear SO-ers! The question I'm about to ask is just because I'm curious. I think I'm doing the right thing, but I want to make sure it actually is the right thing. It's about hashing. The website I am currently building features several Ajax-ed components. First of all, users that are not logged in cannot use these components. Second, u...
I have a system where I salt and hash passwords before saving them to the database, using FormsAuthentication in asp.net What I want to do is, rather than ask the customer for their password each time, I just want 3 random letters from their password. How can I compare this to the hash in the database? Will hashing still work in this ca...
Is it a bad idea to use an email address as a salt for a password? ...
I've been using PHP's crypt() as a way to store and verify passwords in my database. I use hashing for other things, but crypt() for passwords. The documentation isn't that good and there seems to be a lot of debate. I'm using blowfish and two salts to crypt a password and store it in the database. Before I would store the salt and the e...
I've heard of people using this approach and would like to know what the implications are. I just know it's a bad idea! From what I understand, salting a password before storing the hash in a DB has the primary purpose of making every hashing algorithm unique, and thus requiring a new rainbow table for every user when trying to crack it...
So, I'm cool with using a per-user salt to hash my users' passwords. However, there's one piece of advice in the accepted answer: Do not use a separate column for the salt. This doesn't make sense to me. If I'm just catenating the hash and salt and putting them in the same column, surely that's semantically equivalent to two separ...