I was just going through one of DavidHayden’s articles on Hashing User Passwords. Really I can’t get what he is trying to achieve. Here is his code: private static string CreateSalt(int size) { //Generate a cryptographic random number. RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); byte[] buff = new byte[size]; rng.GetBytes(buff); // Return a Base64 string representation … Read more
bCrypt’s javadoc has this code for how to encrypt a password: String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); To check whether a plaintext password matches one that has been hashed previously, use the checkpw method: if (BCrypt.checkpw(candidate_password, stored_hash)) System.out.println(“It matches”); else System.out.println(“It does not match”); These code snippets imply to me that the randomly generated salt is … Read more
I’m having some trouble understanding the purpose of a salt to a password. It’s my understanding that the primary use is to hamper a rainbow table attack. However, the methods I’ve seen to implement this don’t seem to really make the problem harder. I’ve seen many tutorials suggesting that the salt be used as the … Read more
I’ve always used a proper per-entry salt string when hashing passwords for database storage. For my needs, storing the salt in the DB next to the hashed password has always worked fine. However, some people recommend that the salt be stored separately from the database. Their argument is that if the database is compromised, an … Read more
