[Owasp-codereview] Adding Salt?

• Previous message: [Owasp-codereview] Adding Salt?
• Next message: [Owasp-codereview] Adding Salt?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Zaki

Salts are usually generated by the application, not by the users.

If salts were users' inputs, they would provide no more security than any other passwords.

So, salts are saved together with users' records and only the app knows about these salts. The app uses them in calculating salted password hashes.

Cheers
Nam

On Tue, 3 Mar 2009 18:10:18 +0700
Zaki Akhmad <zakiakhmad at gmail.com> wrote:

> Hello,
> 
> I don't understand[1], how we compare hash result from the password
> (after it has been concatenate with salt) with the hash value? Isn't
> it the user must enter the "salt value" after he/she enter the
> password in order to get the same hash value?
> 
> Illustration:
> password: abcde
> salt: 01
> hash (password+salt) = qwertyqwerty
> 
> But the user never enter the "salt value". CMIIW.
> 
> -- 
> Zaki Akhmad
> [1]http://www.owasp.org/index.php/Hashing_Java#Why_add_salt_.3F
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview


-- 
Nam Nguyen
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn

• Previous message: [Owasp-codereview] Adding Salt?
• Next message: [Owasp-codereview] Adding Salt?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]