CPasswordHelper works like PHP’s functions password_hash() and password_verify(), they are wrappers around the crypt() function. When you generate a BCrypt hash, you will get a string of 60 characters, containing the salt. // Hash a new password for storing in the database. $hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT); The variable $hashToStoreInDb will now contain a hash-value like … Read more
The salt just needs to be random and unique. It can be freely known as it doesn’t help an attacker. Many systems will store the plain text salt in the database in the column right next to the hashed password. The salt helps to ensure that if two people (User A and User B) happen … Read more
The point of rainbow tables is that they’re created in advance and distributed en masse to save calculation time for others – it takes just as long to generate rainbow tables on the fly as it would to just crack the password+salt combination directly (since effectively what’s being done when generating rainbow tables is pre-running … Read more
Most of these answers are a bit misguided and demonstrate a confusion between salts and cryptographic keys. The purpose of including salts is to modify the function used to hash each user’s password so that each stored password hash will have to be attacked individually. The only security requirement is that they are unique per … Read more
Based on the other answers to this question, I’ve implemented a new approach using bcrypt. Why use bcrypt If I understand correctly, the argument to use bcrypt over SHA512 is that bcrypt is designed to be slow. bcrypt also has an option to adjust how slow you want it to be when generating the hashed … Read more
Often developers struggle with the verification of a login password, because they are not sure how to handle the stored password hash. They know that the password should be hashed with an appropriate function like password_hash(), and store them in a varchar(255) field: // Hash a new password for storing in the database. // The … Read more
Prefix or suffix is irrelevant, it’s only about adding some entropy and length to the password. You should consider those three things: The salt has to be different for every password you store. (This is quite a common misunderstanding.) Use a cryptographically secure random number generator. Choose a long enough salt. Think about the birthday … Read more
A public salt will not make dictionary attacks harder when cracking a single password. As you’ve pointed out, the attacker has access to both the hashed password and the salt, so when running the dictionary attack, she can simply use the known salt when attempting to crack the password. A public salt does two things: … Read more
Since questions about salting hashes come along on a quite regular basis and there seems to be quite some confusion about the subject, I extended this answer. What is a salt? A salt is a random set of bytes of a fixed length that is added to the input of a hash algorithm. Why is … Read more
Actually this is kind of strange, with the string conversions – which the membership provider does to put them into config files. Hashes and salts are binary blobs, you don’t need to convert them to strings unless you want to put them into text files. In my book, Beginning ASP.NET Security, (oh finally, an excuse … Read more